2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

max time kernel
1805s
max time network
1248s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2022, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

10^/10

microsoft persistence phishing

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 40 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	smss.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	7320	6492	msedge.exe	149
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	6860	6836	WerFault.exe	418
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3508	2768	WerFault.exe	440
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	8352	6948	WerFault.exe	447
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	8584	5732	WerFault.exe	454
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	10196	5312	WerFault.exe	131

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5956 created 7000	5956	svchost.exe	2092

Executes dropped EXE 2 IoCs

pid	Process
7000	smss.exe
7080	smss.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	smss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\efdea19f-7b58-4f57-b77d-d8a5e8073ded.tmp	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221009173144.pma	smss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Program crash 36 IoCs

pid	pid_target	Process	procid_target
6000	6192	WerFault.exe	171
6256	7540	WerFault.exe	219
7868	7344	WerFault.exe	267
1316	8492	WerFault.exe	319
9176	8776	WerFault.exe	325
8000	9208	WerFault.exe	335
3088	6872	WerFault.exe	348
8036	9012	WerFault.exe	360
8408	8460	WerFault.exe	377
8992	8436	WerFault.exe	388
8912	6328	WerFault.exe	413
6860	6836	WerFault.exe	418
7204	8100	WerFault.exe	435
4524	8776	WerFault.exe	434
3508	2768	WerFault.exe	440
8352	6948	WerFault.exe	447
8584	5732	WerFault.exe	454
5896	4248	WerFault.exe	474
8756	4300	WerFault.exe	485
9196	3756	WerFault.exe	494
5180	6692	WerFault.exe	498
7416	3124	WerFault.exe	480
9560	6516	WerFault.exe	507
9780	9700	WerFault.exe	521
9896	9864	WerFault.exe	527
10120	10088	WerFault.exe	532
10208	2244	WerFault.exe	426
8696	9732	WerFault.exe	540
10196	5312	WerFault.exe	131
7264	3872	WerFault.exe	557
10040	6680	WerFault.exe	571
9976	9968	WerFault.exe	606
10532	3604	WerFault.exe	619
10564	10048	WerFault.exe	613
10656	1204	WerFault.exe	575
352	9744	WerFault.exe	574

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	onedrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	onedrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	onedrive.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	onedrive.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	onedrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	onedrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	onedrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	smss.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	onenoteim.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.microsoft.com\ = "124"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	onedrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000017e36a5a009efe4cf25285acb38dfb247bad3a5d134be88f99eaa5a791ddd867000000000e800000000200002000000074c983d2c6ba7c4c808757fe3320085782a24104e7bb0e9f230edf54613a341320000000537ef63554acabe8ac2e48aa3409a28139b3e652970ae6c0a34a26bd9cb64ec140000000b2abed8a4fbfc1e873b56dac94fd0117d83971b4dae6940bba15d60de92819602ec2c083aacb14a93d95fe240eeeca4a362c31b0c1112a32b22ab664a6ac3732	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989317"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989317"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a048724305dcd801	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	smss.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000240cf17052ab99b1e8aaca8243e697a5cd33745b7a471d7bed023aeab785be52000000000e80000000020000200000006d2e464ac5ced91a0c2d07aee98b5559206bd688971682dce6d88d054701a8cd20000000647c1519947f0230a8d869130786b2b0c8d7e7d2f2b93707d172296b4214be3f400000000c877a1a4d51dabfec42e3a3f306f0ebae3ce5074fff00fe4be35eea25c61f4437d11f484118ba7f8fff1687706fb8ef9d94074034dacefe1e418ac3d2e44b43	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	onedrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "164"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	onedrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "2"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989317"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "164"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0817c4305dcd801	Process not Found

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\ = "BannerNotificationHandler Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	onedrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\odopen	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ = "ISyncEngine"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\ = "UpToDateUnpinnedOverlayHandler Class"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ = "SyncEngineCOMServer Class"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	onedrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\ = "ReadOnlyOverlayHandler Class"	onedrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	smss.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
5828	WINWORD.EXE
5796	WINWORD.EXE
5828	WINWORD.EXE
5352	onedrive.exe
6492	smss.exe
9904	Process not Found
6608	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
5020	msedge.exe
5020	msedge.exe
3128	wwahost.exe
3128	wwahost.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
5352	onedrive.exe
5352	onedrive.exe
6860	Process not Found
6860	Process not Found
3868	identity_helper.exe
3868	identity_helper.exe
7156	Process not Found
7156	Process not Found
7156	Process not Found
7156	Process not Found
6872	smss.exe
6872	smss.exe
8016	smss.exe
8016	smss.exe
7320	smss.exe
7320	smss.exe
7000	smss.exe
7000	smss.exe
7000	smss.exe
7000	smss.exe
8400	smss.exe
8400	smss.exe
8716	smss.exe
8716	smss.exe
7676	msedge.exe
7676	msedge.exe
9120	Process not Found
9120	Process not Found
8636	smss.exe
8636	smss.exe
8480	smss.exe
8480	smss.exe
8644	smss.exe
8644	smss.exe
6872	smss.exe
6872	smss.exe
5088	Process not Found
5088	Process not Found
5088	Process not Found
5088	Process not Found
7676	smss.exe
7308	smss.exe
8728	Process not Found
8728	Process not Found
8216	smss.exe
8216	smss.exe
8216	smss.exe
8216	smss.exe
4248	smss.exe
4248	smss.exe
4248	smss.exe
4248	smss.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
3720	explorer.exe
5312	POWERPNT.EXE
5020	msedge.exe
5796	Process not Found
6568	Process not Found
6492	Process not Found

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
6916	Process not Found
10496	Process not Found
10568	Process not Found
1220	Process not Found
9084	Process not Found
8068	Process not Found
8160	Process not Found
9976	Process not Found
9984	Process not Found
6992	Process not Found
10640	Process not Found
6636	Process not Found
5600	Process not Found
5172	Process not Found
5720	Process not Found
1120	Process not Found
1112	Process not Found
4232	Process not Found
2292	Process not Found
6108	Process not Found
3100	Process not Found
10124	Process not Found
8444	smss.exe
5536	Process not Found
7164	Process not Found
2080	Process not Found
3812	Process not Found
848	Process not Found
2416	Process not Found
1304	Process not Found
3928	Process not Found
2644	Process not Found
10840	Process not Found
8552	Process not Found
8736	Process not Found
2924	Process not Found
3468	Process not Found
432	Process not Found
2216	Process not Found
6524	Process not Found
4808	Process not Found
4184	Process not Found
5524	Process not Found
492	Process not Found
2680	Process not Found
5404	Process not Found
5704	Process not Found
2484	Process not Found
9572	Process not Found
2224	Process not Found
7912	Process not Found
3880	Process not Found
6616	Process not Found
3856	Process not Found
10460	Process not Found
3308	smss.exe
540	Process not Found
7476	Process not Found
9848	smss.exe
7724	Process not Found
4180	Process not Found
3388	Process not Found
7448	Process not Found
10788	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found
5020	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeDebugPrivilege	3128	wwahost.exe
Token: SeDebugPrivilege	3128	wwahost.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe
Token: SeShutdownPrivilege	3720	explorer.exe
Token: SeCreatePagefilePrivilege	3720	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5020	msedge.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
5352	onedrive.exe
3720	explorer.exe
3720	explorer.exe
5352	onedrive.exe
5352	onedrive.exe
3720	explorer.exe
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found
3720	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5352	onedrive.exe
5352	onedrive.exe
3720	explorer.exe
5352	onedrive.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3720	explorer.exe
3128	wwahost.exe
3080	StartMenuExperienceHost.exe
3720	explorer.exe
5516	SearchApp.exe
5828	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5828	WINWORD.EXE
3720	explorer.exe
5796	WINWORD.EXE
5828	WINWORD.EXE
5312	POWERPNT.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
5828	WINWORD.EXE
5352	onedrive.exe
5796	WINWORD.EXE
5312	POWERPNT.EXE
6860	Process not Found
5312	POWERPNT.EXE
5312	POWERPNT.EXE
5312	POWERPNT.EXE
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
6492	smss.exe
5312	POWERPNT.EXE
5312	POWERPNT.EXE
6492	smss.exe
5796	WINWORD.EXE
5796	WINWORD.EXE
6192	Process not Found
5796	WINWORD.EXE
5796	WINWORD.EXE
5312	POWERPNT.EXE
5796	WINWORD.EXE
5312	POWERPNT.EXE
5312	Process not Found
5796	WINWORD.EXE
5796	WINWORD.EXE
6568	EXCEL.EXE
5828	WINWORD.EXE
6568	EXCEL.EXE
5828	WINWORD.EXE
5796	WINWORD.EXE
5796	WINWORD.EXE
6492	smss.exe
6568	EXCEL.EXE
6568	EXCEL.EXE
5796	WINWORD.EXE
6568	EXCEL.EXE
6492	smss.exe
6492	smss.exe
6492	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 5088	5020	msedge.exe	84
PID 5020 wrote to memory of 5088	5020	msedge.exe	84
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 3568	5020	msedge.exe	91
PID 5020 wrote to memory of 4944	5020	msedge.exe	92
PID 5020 wrote to memory of 4944	5020	msedge.exe	92
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95
PID 5020 wrote to memory of 924	5020	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4340 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:7064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:6568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff62ed45460,0x7ff62ed45470,0x7ff62ed45480
    3⤵
    PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8356 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8512 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5980 /prefetch:2
  2⤵
  PID:7156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:6168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8960 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9484 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:7560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9004 /prefetch:1
  2⤵
  PID:7572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
  2⤵
  PID:7056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:7828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9368 /prefetch:1
  2⤵
  PID:7808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:8128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:8100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10760 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:6464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:7580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:7996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10852 /prefetch:1
  2⤵
  PID:7436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:7952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:8308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:8364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:8100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:8520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=10776 /prefetch:8
  2⤵
  PID:7856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10060 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:8392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9072127353078422936,17869278161399761257,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:8760

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7ce97a4597cb4baa94494f82e78309f0 /t 2252 /p 2132
1⤵
PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
1⤵
PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
  2⤵
  PID:64

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3720
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5796
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:6076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:5032
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=521839
    3⤵
    PID:6600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
      4⤵
      PID:6148
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
    3⤵
    PID:7000
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
      4⤵
      PID:7080
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5312
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5312 -s 7124
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:10196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3776
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:6492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=521839
    3⤵
    - Process spawned unexpected child process
    PID:7320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
      4⤵
      PID:6852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6744
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5808
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Modifies registry class
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:4276
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:6880
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:6248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6404
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:6568
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:2208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6132
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7060
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:3280
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:4276
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:7260
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:7460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:7844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:7832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7864
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:7816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:7948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:8008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:8176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:7440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7428
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:6872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:7916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:7732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:4656
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:7956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3732
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:180
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:7320
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044773
  2⤵
  PID:7712
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:5956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:6872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
      4⤵
      PID:8884
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:8104
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:8444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:8468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8512
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:8644
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:8724
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8716
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:9040
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:9052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:9104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:9180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044773
  2⤵
  PID:8660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:4344
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:9036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8904
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:8900
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:7732
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:8456
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:7676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8608
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8636
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:7720
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:5152
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:8472
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8480
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8644
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:6904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:6900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8272
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:7716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:7840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8212
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:6872
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7152
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:7676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:9112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7464
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:6548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:1096
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:9160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044773
  2⤵
  PID:7728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044773
  2⤵
  PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:8108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:8984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8956
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:6548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8564
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:7148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:8716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8428
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:7708
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:6836
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 6836 -s 612
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:6860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044773
  2⤵
  PID:7256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x78,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:2244
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2244 -s 820
      4⤵
      Program crash
      PID:10208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:9016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:60
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:1876
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:7128
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:9012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:5864
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:2768
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2768 -s 616
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:8944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xc0,0xbc,0x100,0xdc,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13021996610190004765,14616237337071622631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:8604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13021996610190004765,14616237337071622631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13021996610190004765,14616237337071622631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 /prefetch:2
    3⤵
    PID:8692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13021996610190004765,14616237337071622631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2496 /prefetch:2
    3⤵
    PID:7812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13021996610190004765,14616237337071622631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2440 /prefetch:2
    3⤵
    PID:8356
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:6948
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 6948 -s 468
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:8352
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:8872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8876
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:8860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:7676
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:5732
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5732 -s 496
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:8584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8884
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:8256
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:7936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0xd4,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:4248
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4248 -s 656
      4⤵
      Program crash
      PID:5896
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:8236
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:9032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:8912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:7720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,742769867701220272,10617593197179557759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:8664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,742769867701220272,10617593197179557759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    PID:8776
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782
  2⤵
  PID:7280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9204
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:5196
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:8088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6516
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 6516 -s 508
      4⤵
      Program crash
      PID:9560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14202305644241456950,11222588868328766266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
    3⤵
    PID:9492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14202305644241456950,11222588868328766266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
    3⤵
    PID:9504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14202305644241456950,11222588868328766266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    PID:9532
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:9604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:9624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:9612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13820963357938770465,6033049514620988841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
    3⤵
    PID:9856
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:9832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:9848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9864
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 9864 -s 120
      4⤵
      Program crash
      PID:9896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044666
  2⤵
  PID:8560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:7376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1231309876860537080,4640475248225425507,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:7660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1231309876860537080,4640475248225425507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    PID:5004
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
  2⤵
  PID:8188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044666
  2⤵
  PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x104,0x108,0xdc,0xe0,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:1204
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1204 -s 460
      4⤵
      Program crash
      PID:10656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10546079167487342401,16907332068777378210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:9032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10546079167487342401,16907332068777378210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:8956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9744
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 9744 -s 460
      4⤵
      Program crash
      PID:352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3240066105710293987,8450764638049219015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:9888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3240066105710293987,8450764638049219015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    PID:9372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5538741742302767725,13937404308563870283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:5160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5538741742302767725,13937404308563870283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:2188
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2060
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\onedrive.exe"
  2⤵
  PID:6608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,18292336308216078647,15076610606809316441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:6844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,18292336308216078647,15076610606809316441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:7072
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:7464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044786
  2⤵
  PID:6836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14840018913706832805,1312278485692018820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:9828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14840018913706832805,1312278485692018820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:7320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0x104,0x108,0xd8,0xdc,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:9968
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 9968 -s 480
      4⤵
      Program crash
      PID:9976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:6188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:6712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4496510039936517213,2650598436163419988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:10452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4496510039936517213,2650598436163419988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
    3⤵
    PID:10508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044904
  2⤵
  PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:8616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044481
  2⤵
  PID:10804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x90,0xfc,0x100,0xe0,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13147300188263834907,16522370033333204347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:10560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13147300188263834907,16522370033333204347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
    3⤵
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13147300188263834907,16522370033333204347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 /prefetch:2
    3⤵
    PID:784
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:10844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044778
  2⤵
  PID:10960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
    3⤵
    PID:11000
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"
  2⤵
  PID:7392

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:4644

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:4892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5516

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:6860

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\74b1f623697b4bde8b6550b0fb9e85c9 /t 5356 /p 5312
1⤵
PID:1456

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6192 -s 3576
  2⤵
  - Program crash
  PID:6000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 6192 -ip 6192
1⤵
PID:5276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
PID:5996

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
- Enumerates system info in registry
PID:7540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 7540 -s 3316
  2⤵
  - Program crash
  PID:6256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:7744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 808 -p 7540 -ip 7540
1⤵
PID:7416

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:7344
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 7344 -s 2824
  2⤵
  - Program crash
  PID:7868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 784 -p 7344 -ip 7344
1⤵
PID:3596

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8012

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
1⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
1⤵
PID:8140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
PID:6972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6972 CREDAT:17410 /prefetch:2
  2⤵
  PID:3996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6972 CREDAT:17426 /prefetch:2
  2⤵
  PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5956

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8492 -s 2780
  2⤵
  - Program crash
  PID:1316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 804 -p 8492 -ip 8492
1⤵
PID:8072

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6460

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8776 -s 2796
  2⤵
  - Program crash
  PID:9176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 8776 -ip 8776
1⤵
PID:9080

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:9208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9208 -s 2720
  2⤵
  - Program crash
  PID:8000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 9208 -ip 9208
1⤵
PID:9008

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:9120

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6872 -s 2712
  2⤵
  - Program crash
  PID:3088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 6872 -ip 6872
1⤵
PID:8420

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:9012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9012 -s 2800
  2⤵
  - Program crash
  PID:8036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
  2⤵
  PID:8608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 856 -p 9012 -ip 9012
1⤵
PID:5724

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8460 -s 2804
  2⤵
  - Program crash
  PID:8408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 856 -p 8460 -ip 8460
1⤵
PID:8180

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:5636

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8436 -s 2792
  2⤵
  - Program crash
  PID:8992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 8436 -ip 8436
1⤵
PID:4740

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
1⤵
PID:8936

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6328 -s 1860
  2⤵
  - Program crash
  PID:8912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 764 -p 6836 -ip 6836
1⤵
PID:7652

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:8776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8776 -s 2768
  2⤵
  - Program crash
  PID:4524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 840 -p 8100 -ip 8100
1⤵
PID:7328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8100 -s 1632
1⤵
- Program crash
PID:7204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 8776 -ip 8776
1⤵
PID:7720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2768 -ip 2768
1⤵
PID:8664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 7676 -ip 7676
1⤵
PID:6328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 816 -p 3280 -ip 3280
1⤵
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 5732 -ip 5732
1⤵
PID:5292

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:8728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4248 -ip 4248
1⤵
PID:2628

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:9164

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:4300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4300 -s 3172
  2⤵
  - Program crash
  PID:8756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 820 -p 4300 -ip 4300
1⤵
PID:9060

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:8440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3756 -s 320
1⤵
- Program crash
PID:9196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8724

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6692 -s 1844
  2⤵
  - Program crash
  PID:5180

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:9196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3124 -s 1692
1⤵
- Program crash
PID:7416

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:7456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 6516 -ip 6516
1⤵
PID:9548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd892446f8,0x7ffd89244708,0x7ffd89244718
1⤵
PID:9636

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:9652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 784 -p 9652 -ip 9652
1⤵
PID:9720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 9700 -ip 9700
1⤵
PID:9760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9700 -s 772
1⤵
- Program crash
PID:9780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 9864 -ip 9864
1⤵
PID:9876

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:9948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10088 -s 12
1⤵
- Program crash
PID:10120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 60 -ip 60
1⤵
PID:10180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 764 -p 2244 -ip 2244
1⤵
PID:10168

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:7164

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9732 -s 1748
  2⤵
  - Program crash
  PID:8696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 9732 -ip 9732
1⤵
PID:7188

C:\Windows\system32\atbroker.exe
atbroker.exe /start magnifierpane
1⤵
PID:9884
- C:\Windows\System32\ATBroker.exe
  C:\Windows\System32\ATBroker.exe /start magnifierpane
  2⤵
  PID:9872
- - C:\Windows\System32\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:10136

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:9904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 856 -p 5312 -ip 5312
1⤵
PID:10144

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:9324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 828 -p 7148 -ip 7148
1⤵
PID:6000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 3032 -ip 3032
1⤵
PID:9364

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:5616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3872 -s 740
  2⤵
  - Program crash
  PID:7264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 768 -p 3872 -ip 3872
1⤵
PID:6952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3872 -ip 3872
1⤵
PID:7132

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:4712

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub
1⤵
PID:9696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6680 -s 2788
  2⤵
  - Program crash
  PID:10040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 6680 -ip 6680
1⤵
PID:6676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8920

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
PID:6256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 6256 -ip 6256
1⤵
PID:4528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 844 -p 6256 -ip 6256
1⤵
PID:3032

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:2908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2908 -ip 2908
1⤵
PID:5672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 9968 -ip 9968
1⤵
PID:8128

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 10048 -s 2408
  2⤵
  - Program crash
  PID:10564

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:3604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3604 -s 1500
  2⤵
  - Program crash
  PID:10532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 3604 -ip 3604
1⤵
PID:10496

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10576

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10720

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
PID:10952

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11016

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11240

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10460

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:7428

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x4f8
1⤵
PID:11068

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:9976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 932 -p 9744 -ip 9744
1⤵
PID:6888

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:8444

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:3308

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:3280

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
1⤵
PID:5424

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:8188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000013c 00000084
1⤵
PID:6016

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:1916

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:556

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:3908

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 00000084
1⤵
PID:4244

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 00000084
1⤵
PID:3348

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
PID:7156

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000cc 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6492

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:8364

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:6120

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000138 00000084
1⤵
PID:2208

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
- Drops file in Program Files directory
PID:1768

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000084
1⤵
PID:9036

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:5788

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d8 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:3108

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:1200

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:7816

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 00000084
1⤵
PID:5964

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000013c 00000084
1⤵
PID:5652

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000084
1⤵
PID:3312

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:6156

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:6780

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000013c 00000084
1⤵
PID:8460

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:4792

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000180 00000084
1⤵
PID:4276

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 00000084
1⤵
PID:5072

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000178 00000084
1⤵
PID:5168

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000015c 00000084
1⤵
PID:7728

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000180 00000084
1⤵
PID:6600

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:7060

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8400

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:9104

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000cc 00000084
1⤵
PID:7440

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:6872

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:9112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000084
1⤵
PID:944

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 00000084
1⤵
PID:8272

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:7056

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000144 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:5180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:7964

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000084
1⤵
PID:9124

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:7932

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
1⤵
PID:7712

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:8128

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8716

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:7000

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000084
1⤵
PID:7916

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:3732

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000016c 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8016

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:7148

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
PID:4660

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000016c 00000084
1⤵
PID:7876

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
1⤵
PID:7956

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
PID:8028

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:1768

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:6464

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
1⤵
PID:8032

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:5788

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 00000084
1⤵
PID:8100

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:3236

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 00000084
1⤵
PID:8564

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
1⤵
PID:7464

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:7716

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
PID:5480

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
1⤵
PID:7940

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:7844

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
- Modifies Internet Explorer settings
PID:3996

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:7308

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8480

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000cc 00000084
1⤵
PID:8924

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 00000084
1⤵
- Modifies Internet Explorer settings
PID:1140

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 00000084
1⤵
PID:8884

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:5004

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:8560

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:6188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000160 00000084
1⤵
- Enumerates system info in registry
PID:9012

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:8356

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d8 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:7128

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:7460

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:8876

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:8944

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000160 00000084
1⤵
PID:8912

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:8256

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:8936

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000084
1⤵
PID:548

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000cc 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:7320

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000144 00000084
1⤵
PID:4464

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
PID:8720

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
1⤵
PID:9888

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
PID:8956

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001a0 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:1876

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001a4 00000084
1⤵
PID:4428

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000164 00000084
1⤵
PID:8520

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000148 00000084
1⤵
PID:7560

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
PID:7828

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
PID:4220

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000174 00000084
1⤵
PID:7996

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
PID:5904

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:9032

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000144 00000084
1⤵
PID:4820

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001bc 00000084
1⤵
PID:4656

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
1⤵
PID:4948

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000188 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:7708

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000170 00000084
1⤵
PID:7536

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 00000084
1⤵
PID:7832

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000084
1⤵
PID:7808

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
1⤵
PID:5152

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c4 00000084
1⤵
PID:8984

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000019c 00000084
1⤵
PID:8088

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c4 00000084
1⤵
PID:5196

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001e0 00000084
1⤵
PID:9636

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001e8 00000084
1⤵
PID:7392

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c4 00000084
1⤵
PID:6948

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d8 00000084
1⤵
PID:900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c0 00000084
1⤵
PID:5732

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001e4 00000084
1⤵
PID:6516

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000024c 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
PID:2740

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000230 00000084
1⤵
PID:9200

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000224 00000084
1⤵
PID:8212

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c8 00000084
1⤵
PID:9612

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000138 00000084
1⤵
PID:8608

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ac 00000084
1⤵
PID:6852

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:4908

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000170 00000084
1⤵
PID:9040

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000017c 00000084
1⤵
PID:7952

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ac 00000084
1⤵
PID:11000

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000164 00000084
1⤵
PID:1096

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000017c 00000084
1⤵
PID:8900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000164 00000084
1⤵
PID:8408

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
PID:4996

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001a4 00000084
1⤵
PID:8308

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c8 00000084
1⤵
PID:4976

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ac 00000084
1⤵
PID:3680

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d0 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:8644

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001f0 00000084
1⤵
PID:3980

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000019c 00000084
1⤵
PID:5180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001cc 00000084
1⤵
PID:3828

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001f0 00000084
1⤵
PID:9864

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000194 00000084
1⤵
PID:2768

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000138 00000084
1⤵
PID:6804

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000190 00000084
1⤵
PID:8860

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000198 00000084
1⤵
- Enumerates system info in registry
PID:8492

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000198 00000084
1⤵
PID:8264

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000174 00000084
1⤵
PID:6548

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000018c 00000084
1⤵
- Executes dropped EXE
PID:7080

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001bc 00000084
1⤵
PID:10560

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:8904

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 00000084
1⤵
PID:6836

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000012c 00000084
1⤵
PID:8428

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000012c 00000084
1⤵
PID:6900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
PID:7136

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d0 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:6904

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001e4 00000084
1⤵
PID:8660

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000214 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:8456

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001a4 00000084
1⤵
PID:4608

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000022c 00000084
1⤵
PID:8604

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000274 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8636

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000022c 00000084
1⤵
PID:8940

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d0 00000084
1⤵
PID:4344

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000218 00000084
1⤵
PID:8664

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000023c 00000084
1⤵
- Enumerates system info in registry
PID:8776

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000280 00000084
1⤵
PID:1308

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000284 00000084
1⤵
PID:7720

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000290 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2244

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000254 00000084
1⤵
PID:7152

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d4 00000084
1⤵
PID:2636

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c0 00000084
1⤵
PID:8392

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000230 00000084
1⤵
PID:4768

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000214 00000084
1⤵
PID:7856

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000280 00000084
1⤵
PID:8760

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000031c 00000084
1⤵
PID:3032

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002fc 00000084
1⤵
PID:2700

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002a0 00000084
1⤵
PID:9532

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002f0 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:5152

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000032c 00000084
1⤵
PID:8472

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000348 00000084
1⤵
PID:7728

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000334 00000084
1⤵
PID:10136

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000380 00000084
1⤵
PID:3224

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003a8 00000084
1⤵
PID:7936

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002e4 00000084
1⤵
PID:7228

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000370 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:9848

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003ac 00000084
1⤵
PID:4180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003d4 00000084
1⤵
PID:3900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000039c 00000084
1⤵
PID:9624

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000398 00000084
1⤵
PID:8236

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000388 00000084
1⤵
PID:5864

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003d4 00000084
1⤵
PID:3280

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003e4 00000084
1⤵
PID:60

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003ec 00000084
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:8216

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003d4 00000084
1⤵
PID:1932

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003cc 00000084
1⤵
PID:1204

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003e4 00000084
1⤵
PID:9832

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003b0 00000084
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:7676

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003fc 00000084
1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:9160

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003a0 00000084
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000360 00000084
1⤵
PID:7376

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003b8 00000084
1⤵
PID:9004

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000350 00000084
1⤵
PID:8744

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000037c 00000084
1⤵
PID:7256

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003f4 00000084
1⤵
PID:8872

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003f4 00000084
1⤵
PID:32

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000388 00000084
1⤵
PID:8108

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000038c 00000084
1⤵
PID:9132

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003a4 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:6608

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003e0 00000084
1⤵
PID:9016

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000038c 00000084
1⤵
PID:8716

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000036c 00000084
1⤵
PID:2952

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000031c 00000084
1⤵
PID:6836

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000304 00000084
1⤵
PID:1512

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000258 00000084
1⤵
PID:10804

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ec 00000084
1⤵
PID:7660

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000160 00000084
1⤵
PID:10508

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001b4 00000084
1⤵
PID:10452

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001bc 00000084
1⤵
PID:10960

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:7320

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000188 00000084
1⤵
PID:9372

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:8956

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:5160

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000184 00000084
1⤵
PID:2188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 00000084
1⤵
PID:6048

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c4 00000084
1⤵
PID:3664

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000274 00000084
1⤵
PID:9828

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000158 00000084
1⤵
PID:9744

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000194 00000084
1⤵
PID:9968

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000194 00000084
1⤵
PID:9856

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001b4 00000084
1⤵
PID:8188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000084
1⤵
PID:8616

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000084
1⤵
PID:6712

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
38865c8561f27bbda579b2c7c90cc6df

SHA1
8e29f6a48363100cc2ee5eea66030ad831f7dfaa

SHA256
c2bfcd201ae3d3f75ed80f16a8655f418208873d8a5fdfde5c73c8fc9ee3c47a

SHA512
2f80618c17c2430cd14894b94528ecc07493f63139df7b3e6684ae60ff734e5e1f8909d8b38d2e8a8834eaf007d0b7e5a1205cdd34fb93fa4de2f58cb6435199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
74633958ba69b4c890af312c0b9f06ca

SHA1
f89dcd15ec8c4a9ee7f83b78a26127437b3fc100

SHA256
5c3b997c0496059ff220df0a39891456d58781c87550c1ba4e310ad7955f6ab0

SHA512
c65e7b4c92b2016d788ec5c5f03fb7e611dc0c2a0e6178f1362234f729784ff51b0bdd01029e7650cbaa45f3a2666c976fa9ed03aab80e23fcb95cbd38decc31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
d2d59fa0153813247574c02260c03de5

SHA1
5ba134fbf5c6faf26ab2fefd99b45c537ba71852

SHA256
df4c08c96d1702a9fa779d2a32b7b60e997baf7d99a6ec0d2f517b464e3844fc

SHA512
3bbc143c2892385132404c22ddb9b242121aceb747ed07aea02f8ad5ceaa6168b525091ba540477d4b1c21ded8d584c4f510cae138f7481b0c8163ace4736e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
c42648610480f0d0596910b343c911e0

SHA1
0ab50d65098acead8cf054eb869954e68f7daa1b

SHA256
9c1b03c70bf3b589f31d24cb9a4dd06a4cff9e3f357444d7f334e599a8d4cc84

SHA512
5ba1655e4c6c0392b8a9ebca8361bda4c0c416ed956651c76617f7f68bacebb7f6fa9e3d80db56f6877555f2d869db51271b89ccc6e2b34271b9de237c98e6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
ddd248d4c9df81c16447133f638402f3

SHA1
4f6629d3cf885e97c69474ff1b19ea2988c06404

SHA256
a5d1be5a45a392b8451c92fd9cfaf8c37ffc248f26a07b6b7907c680f88bb970

SHA512
d40db8dfc38bf21dd436e3ee94d46c89fe7fa2cfb506d6a04bbd5deec2398dfbb98849fea6889e081118ebddaaf29b18f7e0254e12aac158d10b35ec9473bd94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\1UJZJN1I\hero-image-desktop-f6720a4145[1].jpg

Filesize
134KB

MD5
f6720a4145cffae73aef36d6a3865d14

SHA1
24a928df3a5c396a6f4b41ee0958e169bedd8d5a

SHA256
a4590ef7c24d342aeb168daf1684fbcbd1147ea0d2ba21a8493cacd4896a7d17

SHA512
75f1e8893bcad76ae803c4c7e6841fc5be96a1876d949b0f2f63ab7857e499165f55decb230ffa47515d6e66656a33f8eb11419ea77470e158c80940ee66fabd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\1UJZJN1I\thirdpartynotice[1].html

Filesize
104KB

MD5
effecce1b6868c8bd7950ef7b772038b

SHA1
695d5a07f59b4b72c5eca7be77d5b15ae7ae59b0

SHA256
003e619884dbc527e20f0aa8487daf5d7eed91d53ef6366a58c5493aaf1ce046

SHA512
2f129689181ffe6fff751a22d4130bb643c5868fa0e1a852c434fe6f7514e3f1e5e4048179679dec742ec505139439d98e6dcc74793c18008db36c800d728be2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\ew-preload-inline-9ceac07ef7e457350c92[1].js

Filesize
11KB

MD5
a6bcbe64202421a21cab4dcd7642457d

SHA1
6528d39744ed0b12bb101819e58d9dd49e35425a

SHA256
b11931621ebb199bed5058499a0e32251f794dafcf3ca828b5a223194fe0368b

SHA512
f799ee793371c9d0fd6788f3bf139d0147cf640e7ee7ea5f4c6dbcab3cab07798423bdf1ee9e49069f97427b6e7c0ec76f451cd725aac0e806245289b4bf00f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-717fc65f31[1].css

Filesize
2KB

MD5
717fc65f31e59d9d0ab34c26e2a5e6ea

SHA1
2341d68d308128fcd2738ee08c02c502e639a2c9

SHA256
fa61d28dc0eb263b52ad985035acaf7c0d2a3ecfb414107e34af7e91e109dd36

SHA512
63a9ef605afdff35b30deb0b954b34cc83c659ef665faa6ca3b0ab5a548584ee124d134612ea60498a733de7d5d9fd51cbdc28cb3099a2f52cc4756a30bfe5ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-async-styles.d9194ab3df060ff7c29b.chunk.v6[1].css

Filesize
44KB

MD5
015698b9307e579e6a4562369d0450a4

SHA1
7f6bf6a6bb0ccd8e4f3ddf70e7467737babff72b

SHA256
4747e84528557081cf7ff49b00bd8de5f58e6d056bc4be4643f21b6c642a195a

SHA512
d9899e6c8f87495bb1301d3e1d79a0125a9c08718c14a2e551a56e4d29bf0c282f4393dd68f9b9b91561541aece528cd54b6fc12d1d1edabfef293aadd3d85eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-bootstrap-0012126b8953ed9fcfac[1].js

Filesize
62KB

MD5
e1c999a0e078bdea47c53aeca0317327

SHA1
0121a49cf8a8be8478b37bd39e720b79e6944b26

SHA256
05fc66389b315f9ee3255f11bbcb198243a657e367d03a3a2de1ef4538fa8874

SHA512
d6ca3ca10b7aa7a4561be5411a28f1087a74b03b2eba849550bf4179fb643bded4456707e813ce149fb3874e881f777ff88614a3fa77116688199d4c6caf659a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-bundle-a9bdd00221c993a7bb27[1].js

Filesize
1.1MB

MD5
05401890b5726b419a945a56a108b178

SHA1
6debc0e934bc707e09581d3a45025348049a931a

SHA256
d2c58c385e46ef8188537fef7fef530e77665589ec651607a607c06787f0d89d

SHA512
d0a24c21baed0acdd538072fd768e22aa0c4e21bae993deb71c2d3ac0d1439dda2167e7fb8f0afb0aa205f571c12f17d991cc69e4105d2674df7346478ef76a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.6d84939bd936f4f0dd7f.chunk.v6[1].js

Filesize
44KB

MD5
0f2aecb314bea753bbc5653670b7d938

SHA1
7edf939e5f5458727b0e4d10159f6f70bdf93718

SHA256
a753312efd3ca45c102af27778a6dce8d16a7bcae56f2e193d11c7f4c7dea40b

SHA512
c1f1830d8f7151afcaaf91ae1e5254a79ebc54de2a6d021bd3696a1f06db2d31fcf26f391abca684dd651888d2e0e9d20b73220bf71c22d0943dc7ef7a1b4f7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-left-nav-rc.47645d6f3cbfb5e1bad8.chunk.v6[1].js

Filesize
44KB

MD5
65726de108c8cf3585a470480242cb8b

SHA1
0e60aae4d89c863a3094dbb117bd48e7578d7b05

SHA256
635540a5029987f48ee6d84c89ba0f7f6fe3cc0823d76fe8fbbe864b25729ffd

SHA512
7661de90cb4f2c6999baf3e715ef7b6b0c2ad516b9281547777ad58622047c7a63cd0b556d5623e1542696592e94cc7a99b85001827886034bc02164f6f46753

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-vendors~left-nav-rc.b8197f3809b4d661aeaf.chunk.v6[1].js

Filesize
28KB

MD5
56f712dc9961899aa20b1f04fb395394

SHA1
81978dae8b5113055633343aac6637d30ce2362e

SHA256
7a4f6447d73e40e6ef52c10f133cf36bedc1826009331167aee72a99a6052800

SHA512
70f7fe83898f5507bb56d29ab70c16d2f06750667e58fed6fc2f15c30d30b637425742464b8e11680fe992f02962364f7c161939660d72383898606bd51fde88

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v6[1].css

Filesize
10KB

MD5
2099bbb691eaca464bf868076797424c

SHA1
b1cfff48962901afc9859287f011df9ea582fc07

SHA256
6d396b5b108006171a8375a262957575621ddd189344277ef9e6359f4b69ed80

SHA512
aa8cf6da3a02bdc718a8a81f8683cad458606b1f66bf535df31aa1b71074054398c0f15f705a334259d82b8cd0ceda9ab9fa0c57e5fcf9d01baa2e251066df99

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\pwaunauth-9d8bc214ac[1].css

Filesize
5KB

MD5
9d8bc214acf8b3d599dc27d663f28d06

SHA1
4c0fe341618b5ad1840a06feb2b1799408074a04

SHA256
6a3b8828bcf50af8b74d47278bd7af65f25f34487e510f6578fa44549e76a9d6

SHA512
618a94d99f9ea9a9f82e898f5518d8de45a349297b7e30b8587b9307d0ab1d1da51c01c4ac497596376f163aefb1b6891d8cbab9404674e4b66f1e5fe4ea1b2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\segoeui_regular[1].woff2

Filesize
10KB

MD5
906ba74c1f7a4fd42174e0f58fad3c95

SHA1
3631818302580f0e0da3ed54e8488ce72b1d4b11

SHA256
bb232fd09a6696ce21ec10a43b89933e12ad866dfde30a4a6a08e08082e6557d

SHA512
287e1f5eb314302ed3d78d17516d9105deaf5ae325c3cdaa1298bab455c187022b53643a88bb9a64074707a1e19392b12f7bcac6601eb0fde66dbe7fb19c2e6d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\sharedfontstyles-27fa2598d8[1].css

Filesize
1KB

MD5
27fa2598d8d08e131197bec2c3786643

SHA1
041c8af3812efbc3baf777e83f6cad15557eaeab

SHA256
c8ad9c22eb148de817a1b86bcfc7ccef2151f798c0d8f26a7534ee0b9465ea34

SHA512
bc69b32f39c8988ccbdb759201dadde317de84aa9b3f1b401bdd919dd3d1b0c6df58028cfa83ac9f1d297a507050ecc166a9195aeba8fa33aad8558eb21ba2b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\sharedscripts-c77f7edec8[1].js

Filesize
51KB

MD5
c77f7edec8ddb196c75cb18d33456d44

SHA1
d160e4135c491b31a33460abd13c7d5f984194ef

SHA256
5eecee06d474645944c6c0f552679df4dd4f7cedf6482a9073b8cc1c598d34e3

SHA512
2bc40260452d461e0a34713a196dfd416e6874c4e265f199a03f2ed624211c8c433a1919b9512667427fe2811525c16fcbe3dafb9b2935b8419875b2f7bcb936

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\3ET61SAS\staticpwascripts-2828b02837[1].js

Filesize
15KB

MD5
2828b02837c72107adf2cd0113b04eb6

SHA1
007aa5c018270df81ad168243f46cc6cbe06d09c

SHA256
5f5b0603ceec66bac19edb4f555595422110945f8db488865ca1715af9abf7ff

SHA512
702f6b262d75ce4db452a0060c2c3a7b4a69b7974932ed6ed15e6a346155f05bce2de50c4d013f3f982e7e85f77f19d5669a1e013176516624b4e7a852b22d07

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\H37EGUNM\otel-logger-803ab00c96be7f090df5[1].js

Filesize
83KB

MD5
b79ab9db144be5b4664bfc3ce44fb2af

SHA1
4d4ba929fb9115d2b6d21daa2a30c5459739217c

SHA256
a05cedbfa55ea177e7ebca2bccab703e296e23e42e1ddf9729e472cd9a5478b2

SHA512
5c6ccfd141a17ae6fee17b6c161c2bda515df4df5e38085dbaa6fd633a73cd9cdfbd00ad8887573a564dcd2ce4c0eff3af2b5b486592eb3db792fa328350b512

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\H37EGUNM\segoeui_semibold[1].woff2

Filesize
11KB

MD5
dac73dc7b1eb35cd360da41648de072b

SHA1
da1f6a5f46b72320a55b398f5f66d5e9aa6132f1

SHA256
2cd3ef7b5b677b7827bfbe5b926a283e7ca687ddb6b021fa4289630671ebd061

SHA512
366155ff687c7892aabd45c875f6d9d695afdc247b807b18094c18abd4bf6e415e9c78ce2ede4076c378e659c51b1050c10323572e728b6e179f8ed1cd4a6057

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\lockup-mslogo-color-78c06e8898[1].png

Filesize
4KB

MD5
78c06e8898d2ac40434fb9f09053f06e

SHA1
269b39d77bfa1eeb114ad12d626b6f41953e5267

SHA256
80697da1af54cc7e68f99dac55b6aff97d9fc5ce6ea09232f521e4aa3477e52e

SHA512
f5be00bcb099ff7fc7603bfe879fd9916b3126f26f67ab29c0f8e4a4bf920d6232de75e5bf9c08dfb55151eac198128453883aa2d803557493d5089441fa8912

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\microsoft-office-logo-6c598e19ab[1].png

Filesize
14KB

MD5
6c598e19ab5b577e7a6c797c34fc1143

SHA1
2f875eed64a65b45b5482a6ccfa9a942ae44223e

SHA256
3d6e83eb4f8b6bd4322ddfe5641f60a64fe83fd67c25357727a365054f8f4dc5

SHA512
6e14c08bd5fc1702a1981e1c51c33f6e911a4117bf673bc25085efba06678f0c2d7630853c438da64b5423a90d64409b0a2f2bec7fa44708aba0471259f4fde5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\pwa-bundle-64ccb59f4a0a86519a5f[1].css

Filesize
88KB

MD5
c51230ef7b81555dede1c87b8fdc87d7

SHA1
b89444649734dd0fe2716d979f552b64105460f1

SHA256
9263771da0d290d4d77adea7a06abf66f0f2b6144f83f901105df22a7265d9c7

SHA512
deb7102740797161f1b038842114271c45e640696934daa7c086185d120111b2364bf9ab7f24bc882398145d37773920658b0ddb313c2ef15bad316dcca06f76

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\pwa-mru.fff4ba09d93a6ccd7dc6.chunk.v6[1].js

Filesize
42KB

MD5
bf1e92f6bd27e032124188fc98c44514

SHA1
d64c4b5021f8e01737279ce9712971da0cb9df67

SHA256
ebae519a0a5eacc80742ba65bea1ed20a60c95d53aaa7782a50e36a6e34568fe

SHA512
e5da1f898b0e46fe8cf0fbd1a68269af7c5e55a4a4b9125e3fdd9d3a9b43667eb1f9dddf46d593b103666acb685fbc77142e8649749addd529bb8c7d7620aada

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\pwa-vendor-bundle-e1acf896b3c6fc1e5eb5[1].js

Filesize
630KB

MD5
65a54bcf3b366b5011fdec4aacd1652f

SHA1
03dc87b0ce574606379e55436901dbae9aef1595

SHA256
2c4d522b99a02f851031b1dafbff77b2df3cd70162ae6a9606ed841d1217c091

SHA512
e023673bc583842fd91e379a4231363f2866e84f2c5368f91076495fdda543d4d533c968864ddefb18ba5d830583e91301677ae18c4a38d06848f3ba4c60e02d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\staticstylesfabric-43b09dbce2[1].css

Filesize
195KB

MD5
43b09dbce2dbac6b437013d6d90bb848

SHA1
5ebb66e696e38aefff45ed1c0b998bb1f2a046fc

SHA256
5386c5f271790725dc1926dc14cac5264f4089f17e5c44fe046c5d5eac3c63ea

SHA512
5b6600ae7a27cec809cabca9acd281d3aca655dd10f7754609ef0cfb2b5f3414968db82d7af405cd6c2a876b4cd0bf066b52f135715d072c189ed57619fe53b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\unauth-apps-image-46596a6856[1].png

Filesize
6KB

MD5
46596a6856f213069be3ece1b3238a08

SHA1
60639eb093a094354453a62b77144271f8dbc0ca

SHA256
8211691e5045749653ddef81d2f291d43467ff0001ff93f8184f0506cb06e2a2

SHA512
34ea62a6b988aa4eb67ca38b161916f402e1b5e8ac4bfef38de4c523695b73e1002c2ce36496d366eebde59ab8bcb53a6b507e19be0d0304a3c78602c47d4954

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\INetCache\YC8QMXYS\unauth-checkmark-image-1999f0bf81[1].png

Filesize
291B

MD5
1999f0bf815bce72e4ff30c9f11057c8

SHA1
f4f3b71117510404afb11a0ca4a4394b04d2537b

SHA256
92e650094cd9a15483537c9cc43dd043211be6a0d3f5ebc1ac6326b989811554

SHA512
4af6740b7526f8fc592331ea967ec05f3245d98795ee384aae0801289dd5370d69729edb7a06b8f720af013dd761b0dc4bd49f1260a35c452970eccbd824ec62

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
6b980e7a3b6e5d04ed43ac2d88383f01

SHA1
cadbd90d006287ff27e2c47809eaf2d06f3a63e9

SHA256
0dbbd3fed100813ed1d0de74b0780f6545eba1e140c8e77ce4e171e4d9c278d9

SHA512
5deacb10849eb7541b9c0358429f0b6ab1b3e1c6feb041d77c22b0b265f21b58223347920b7fe3975e8e75d6d55cfbea3f97a52a190e1ada79878c41876d4652

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
0cc91fa3dd717f6fc9f18054178100d7

SHA1
eea40b9226b00ede8b70dd06483b1a2074239ba3

SHA256
1417a77583061d329454a2e050665bef617bbe1a688977c4b6f9e9b79eb5a8d8

SHA512
e0f3c3a5679c11d8fff199d3598b4251afe90f53795ffab0b29b498f5da93facc03bb3bcac65377ef48b953497a689aa6189c27eda64ee674ecce48769df036b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\RMTC7TMF\www.office[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
eb00abd628e868ca8a13375b1251c77e

SHA1
2a9a4aee96d9f76e1b7e9e3e922bec899ebe3f75

SHA256
10cc22fdf4b6f1109dc66a59514ab4194a575f68b4a51473e651a5f2533ac1c0

SHA512
0a835801b634f238266d5904cc873c357b6f2c3ed4924d0d665bfbeaeefd5b928bedc5ad86cb85c32fb84cfe9613ce0066b2459e442e8a265efd35b99f2dd758

Download Submit
memory/1912-372-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/1912-373-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/1912-375-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/1912-376-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4892-156-0x00007FFD840A0000-0x00007FFD84B61000-memory.dmp

Filesize
10.8MB

Download
memory/4892-234-0x00007FFD840A0000-0x00007FFD84B61000-memory.dmp

Filesize
10.8MB

Download
memory/4892-155-0x000002B0E8D60000-0x000002B0E8D68000-memory.dmp

Filesize
32KB

Download
memory/4892-154-0x000002B0E8D30000-0x000002B0E8D3A000-memory.dmp

Filesize
40KB

Download
memory/4892-153-0x000002B0E6BB0000-0x000002B0E6BBE000-memory.dmp

Filesize
56KB

Download
memory/4892-252-0x00007FFD840A0000-0x00007FFD84B61000-memory.dmp

Filesize
10.8MB

Download
memory/5516-251-0x0000026AD4950000-0x0000026AD4958000-memory.dmp

Filesize
32KB

Download
memory/5516-221-0x0000026AD74E1000-0x0000026AD74E5000-memory.dmp

Filesize
16KB

Download
memory/5516-223-0x0000026AD74E1000-0x0000026AD74E5000-memory.dmp

Filesize
16KB

Download
memory/5516-227-0x0000026AD74E1000-0x0000026AD74E5000-memory.dmp

Filesize
16KB

Download
memory/5516-224-0x0000026AD74E1000-0x0000026AD74E5000-memory.dmp

Filesize
16KB

Download
memory/5516-239-0x0000026AD74CB000-0x0000026AD74CE000-memory.dmp

Filesize
12KB

Download
memory/5516-242-0x0000026AD74CB000-0x0000026AD74CE000-memory.dmp

Filesize
12KB

Download
memory/5516-225-0x0000026AD74E1000-0x0000026AD74E5000-memory.dmp

Filesize
16KB

Download
memory/5516-244-0x0000026AD74CB000-0x0000026AD74CE000-memory.dmp

Filesize
12KB

Download
memory/5516-246-0x0000026AD74CB000-0x0000026AD74CE000-memory.dmp

Filesize
12KB

Download
memory/5516-211-0x0000026AD5900000-0x0000026AD5920000-memory.dmp

Filesize
128KB

Download
memory/5828-198-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/5828-203-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/5828-237-0x00007FFD656B0000-0x00007FFD656C0000-memory.dmp

Filesize
64KB

Download
memory/5828-192-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/5828-195-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/5828-201-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/5828-219-0x00007FFD656B0000-0x00007FFD656C0000-memory.dmp

Filesize
64KB

Download
memory/5996-395-0x00000228194A0000-0x00000228194C0000-memory.dmp

Filesize
128KB

Download
memory/9696-904-0x00007FFD74E30000-0x00007FFD758F1000-memory.dmp

Filesize
10.8MB

Download
memory/9696-915-0x000001ED48C90000-0x000001ED48CB6000-memory.dmp

Filesize
152KB

Download
memory/9696-917-0x000001ED4A3A0000-0x000001ED4A448000-memory.dmp

Filesize
672KB

Download
memory/9696-918-0x000001ED4A2F0000-0x000001ED4A312000-memory.dmp

Filesize
136KB

Download
memory/9696-919-0x00007FFD74E30000-0x00007FFD758F1000-memory.dmp

Filesize
10.8MB

Download
memory/9696-921-0x00007FFD74E30000-0x00007FFD758F1000-memory.dmp

Filesize
10.8MB

Download