c79f3697cc8671dd38370f3ce88dd86792ee0f183f0aa4cbdc1603df4eba2d8a

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LeagueTagsFree-win32-ia32/LeagueTagsFree.exe
Size

47.6MB
MD5

d60d7f02e0c6369d591b3a2d33b0abe4
SHA1

da9835b8d3cff371284f48efe20d332b9795de46
SHA256

529fc17ba3dde8d047ed43dcc3af13287a9c3e74923a600cc4f7f14e32e9ba43
SHA512

70d5981c65d5921ee1327c4ae36762827a21c16457ce18c8d8618bb0bf7847c05403b4a319f18253534eef731a9ba41c028fa00803323b4c131b2086bbf2a7cf
SSDEEP

786432:xSgi5z1Ye67Ezaxg+NwaGlsLvqczHmcoahPiaO:xHQYzEn+NwZl4/Hmcoa9

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\621a474c-d9e7-4645-bd81-7894587cbb04.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230403062805.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
4284	msedge.exe
4284	msedge.exe
384	msedge.exe
384	msedge.exe
984	msedge.exe
984	msedge.exe
4180	msedge.exe
4180	msedge.exe
2772	identity_helper.exe
2772	identity_helper.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4920	WMIC.exe
Token: SeSecurityPrivilege	4920	WMIC.exe
Token: SeTakeOwnershipPrivilege	4920	WMIC.exe
Token: SeLoadDriverPrivilege	4920	WMIC.exe
Token: SeSystemProfilePrivilege	4920	WMIC.exe
Token: SeSystemtimePrivilege	4920	WMIC.exe
Token: SeProfSingleProcessPrivilege	4920	WMIC.exe
Token: SeIncBasePriorityPrivilege	4920	WMIC.exe
Token: SeCreatePagefilePrivilege	4920	WMIC.exe
Token: SeBackupPrivilege	4920	WMIC.exe
Token: SeRestorePrivilege	4920	WMIC.exe
Token: SeShutdownPrivilege	4920	WMIC.exe
Token: SeDebugPrivilege	4920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4920	WMIC.exe
Token: SeRemoteShutdownPrivilege	4920	WMIC.exe
Token: SeUndockPrivilege	4920	WMIC.exe
Token: SeManageVolumePrivilege	4920	WMIC.exe
Token: 33	4920	WMIC.exe
Token: 34	4920	WMIC.exe
Token: 35	4920	WMIC.exe
Token: 36	4920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4920	WMIC.exe
Token: SeSecurityPrivilege	4920	WMIC.exe
Token: SeTakeOwnershipPrivilege	4920	WMIC.exe
Token: SeLoadDriverPrivilege	4920	WMIC.exe
Token: SeSystemProfilePrivilege	4920	WMIC.exe
Token: SeSystemtimePrivilege	4920	WMIC.exe
Token: SeProfSingleProcessPrivilege	4920	WMIC.exe
Token: SeIncBasePriorityPrivilege	4920	WMIC.exe
Token: SeCreatePagefilePrivilege	4920	WMIC.exe
Token: SeBackupPrivilege	4920	WMIC.exe
Token: SeRestorePrivilege	4920	WMIC.exe
Token: SeShutdownPrivilege	4920	WMIC.exe
Token: SeDebugPrivilege	4920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4920	WMIC.exe
Token: SeRemoteShutdownPrivilege	4920	WMIC.exe
Token: SeUndockPrivilege	4920	WMIC.exe
Token: SeManageVolumePrivilege	4920	WMIC.exe
Token: 33	4920	WMIC.exe
Token: 34	4920	WMIC.exe
Token: 35	4920	WMIC.exe
Token: 36	4920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5112	WMIC.exe
Token: SeSecurityPrivilege	5112	WMIC.exe
Token: SeTakeOwnershipPrivilege	5112	WMIC.exe
Token: SeLoadDriverPrivilege	5112	WMIC.exe
Token: SeSystemProfilePrivilege	5112	WMIC.exe
Token: SeSystemtimePrivilege	5112	WMIC.exe
Token: SeProfSingleProcessPrivilege	5112	WMIC.exe
Token: SeIncBasePriorityPrivilege	5112	WMIC.exe
Token: SeCreatePagefilePrivilege	5112	WMIC.exe
Token: SeBackupPrivilege	5112	WMIC.exe
Token: SeRestorePrivilege	5112	WMIC.exe
Token: SeShutdownPrivilege	5112	WMIC.exe
Token: SeDebugPrivilege	5112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5112	WMIC.exe
Token: SeRemoteShutdownPrivilege	5112	WMIC.exe
Token: SeUndockPrivilege	5112	WMIC.exe
Token: SeManageVolumePrivilege	5112	WMIC.exe
Token: 33	5112	WMIC.exe
Token: 34	5112	WMIC.exe
Token: 35	5112	WMIC.exe
Token: 36	5112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5112	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2996	4848	LeagueTagsFree.exe	85
PID 4848 wrote to memory of 2996	4848	LeagueTagsFree.exe	85
PID 4848 wrote to memory of 2996	4848	LeagueTagsFree.exe	85
PID 2996 wrote to memory of 4920	2996	cmd.exe	87
PID 2996 wrote to memory of 4920	2996	cmd.exe	87
PID 2996 wrote to memory of 4920	2996	cmd.exe	87
PID 4848 wrote to memory of 3284	4848	LeagueTagsFree.exe	89
PID 4848 wrote to memory of 3284	4848	LeagueTagsFree.exe	89
PID 4848 wrote to memory of 3284	4848	LeagueTagsFree.exe	89
PID 4848 wrote to memory of 4856	4848	LeagueTagsFree.exe	90
PID 4848 wrote to memory of 4856	4848	LeagueTagsFree.exe	90
PID 4848 wrote to memory of 4856	4848	LeagueTagsFree.exe	90
PID 4856 wrote to memory of 5112	4856	cmd.exe	92
PID 4856 wrote to memory of 5112	4856	cmd.exe	92
PID 4856 wrote to memory of 5112	4856	cmd.exe	92
PID 4848 wrote to memory of 4196	4848	LeagueTagsFree.exe	93
PID 4848 wrote to memory of 4196	4848	LeagueTagsFree.exe	93
PID 4848 wrote to memory of 1476	4848	LeagueTagsFree.exe	94
PID 4848 wrote to memory of 1476	4848	LeagueTagsFree.exe	94
PID 4848 wrote to memory of 4180	4848	LeagueTagsFree.exe	95
PID 4848 wrote to memory of 4180	4848	LeagueTagsFree.exe	95
PID 1476 wrote to memory of 1860	1476	msedge.exe	96
PID 1476 wrote to memory of 1860	1476	msedge.exe	96
PID 4180 wrote to memory of 2896	4180	msedge.exe	98
PID 4180 wrote to memory of 2896	4180	msedge.exe	98
PID 4196 wrote to memory of 1532	4196	msedge.exe	97
PID 4196 wrote to memory of 1532	4196	msedge.exe	97
PID 4848 wrote to memory of 3884	4848	LeagueTagsFree.exe	99
PID 4848 wrote to memory of 3884	4848	LeagueTagsFree.exe	99
PID 4848 wrote to memory of 5012	4848	LeagueTagsFree.exe	100
PID 4848 wrote to memory of 5012	4848	LeagueTagsFree.exe	100
PID 4848 wrote to memory of 5012	4848	LeagueTagsFree.exe	100
PID 3884 wrote to memory of 3084	3884	msedge.exe	103
PID 3884 wrote to memory of 3084	3884	msedge.exe	103
PID 5012 wrote to memory of 1164	5012	cmd.exe	104
PID 5012 wrote to memory of 1164	5012	cmd.exe	104
PID 5012 wrote to memory of 1164	5012	cmd.exe	104
PID 4848 wrote to memory of 2576	4848	LeagueTagsFree.exe	105
PID 4848 wrote to memory of 2576	4848	LeagueTagsFree.exe	105
PID 4848 wrote to memory of 2576	4848	LeagueTagsFree.exe	105
PID 2576 wrote to memory of 1736	2576	cmd.exe	107
PID 2576 wrote to memory of 1736	2576	cmd.exe	107
PID 2576 wrote to memory of 1736	2576	cmd.exe	107
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108
PID 4196 wrote to memory of 4420	4196	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\LeagueTagsFree-win32-ia32\LeagueTagsFree.exe
"C:\Users\Admin\AppData\Local\Temp\LeagueTagsFree-win32-ia32\LeagueTagsFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\LeagueTagsFree-win32-ia32\LeagueTagsFree.exe
  "C:\Users\Admin\AppData\Local\Temp\LeagueTagsFree-win32-ia32\LeagueTagsFree.exe" --type=renderer --no-sandbox --primordial-pipe-token=607C419FFE7384C53F8481041BE9229D --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\LeagueTagsFree-win32-ia32\resources\app.asar" --node-integration=true --webview-tag=true --no-sandbox --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=607C419FFE7384C53F8481041BE9229D --renderer-client-id=3 --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.breakcoder.org/ad1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed08146f8,0x7ffed0814708,0x7ffed0814718
    3⤵
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3934027208584098039,12187641729520864902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3934027208584098039,12187641729520864902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.breakcoder.org/ad2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed08146f8,0x7ffed0814708,0x7ffed0814718
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,18149774211016688032,17514648549368408767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18149774211016688032,17514648549368408767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.breakcoder.org/ad3
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed08146f8,0x7ffed0814708,0x7ffed0814718
    3⤵
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:2956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:5456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:5804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
    3⤵
    PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
    3⤵
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6168 /prefetch:8
    3⤵
    PID:5276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:5524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
    3⤵
    PID:3696
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 /prefetch:8
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff68a325460,0x7ff68a325470,0x7ff68a325480
      4⤵
      PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
    3⤵
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16931749451890540148,8167725682882572281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.breakcoder.org/ad4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed08146f8,0x7ffed0814708,0x7ffed0814718
    3⤵
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,17273658060838492542,10338529797637579882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,17273658060838492542,10338529797637579882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5168
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6104
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:460
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2340
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:460
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4496
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6028
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5844
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1200
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5168
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:860
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:448
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5868
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5908
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5356
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:728
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5356
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:6044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:732
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5188
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:5376
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:376
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline"
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC PROCESS WHERE name='LeagueClientUx.exe' GET commandline
    3⤵
    PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x304
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6462c71c-6330-43c8-a351-3570413f25c7.tmp

Filesize
5KB

MD5
5d4e3abed85e1fd887ec1791e5aab56f

SHA1
450969f68efc2534c5e7d9415777b704c370ad8f

SHA256
015882692dfaf06003a6d911012445f66fc8099b36eedb668325aef0315c3e3b

SHA512
367497fe43508ee720fb6a33c8b7c66bb9880f62d6072643f92e588ef9224c143b3119fa536eb7c7eede366c8fd398a584fca214e9d9b67162fc4aa71922fbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
50KB

MD5
40333c9d07daab8ba8a53f73ee3f974e

SHA1
36c2b17a7c48fc28036534f445b79fca9658f0a4

SHA256
998313664fbeab2403238a77e6c50a4541d20805b30533f67de1a12c624fee54

SHA512
4a893bf97a02f88a3ea7830b5f72eb56295566a2c6ceafa33fd80f74f81edadbb4172f71c0e12e4a06b1e927f9d7b0cc62c5ba070cd50f3f25c8b670a1270de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
22KB

MD5
a34c77847d7a957a99edaf10a7deaccd

SHA1
1619cedec658842283a7a474adba2efdcb0d3598

SHA256
ebee5d0011bcd484c4e7067822a1bcac208a0d03a33fced5c6a222666df67350

SHA512
afe20d031816081eba10587141518fbce91ed5f3b44fa002a593f784603d4b2007c89713cd6d9ef3eee3ecb8b53a57ecd078826ba0fcc5d02f2b7de814dd1b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
4c64bb4b4c3d6b1a5cb4a665b3faabfb

SHA1
92b2de45e2a0917f36516f1d5442b15f4156596c

SHA256
8917c92049e1cfd5a6df541099e7b6074895a04c2fac621fd5ace190e01aae1c

SHA512
710232ccd7fdb2c9acc87ad7bcf6ecb2595dc47fa4ceb07a76cd488df4795497a5a7ec00f325a65ecbd840073c4f971b68d88c4cc46b3dc66284c25c248e9b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
b54609d55e1bead4ab2520dfc1822d2d

SHA1
3d83b1ce4f02be4f95c24fe2737f2f9c85ba4699

SHA256
419116f25f13533f591995a18afbb3d1134402b839f526659437f648ca52b610

SHA512
8379ed7732b8019c93eb8465b1ea2077b81763131e02e22793d74e3d3427626f58bcfcf8157d4ff7a37ce57f9bfa6aba1043b918385f4f512bec3d18e6723292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
46KB

MD5
d14d5437644df7526362ad3547ea7102

SHA1
01941067d95bdbf807684d57ac786d4449918734

SHA256
53780e368df95755fdd8825887fa1f151c232cd576a7b62b281511491855ff42

SHA512
8c6a367203520d4ba23de5043a7f3fbe5e9f255edb8989d5e6635bcc62836ddf257853584f18bb2b34888029ab73e06316e1653d835ad83d8592f909624d692f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
24KB

MD5
789fd4f17cc11ac527dc82ac561b3220

SHA1
83ac8d0ad8661ab3e03844916a339833169fa777

SHA256
5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739

SHA512
742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
690082d06f686859d215db9bb601994e

SHA1
51d1b33b5bb8a366915a5b241d852877cc000bf4

SHA256
19ba9415d193b1a3847081d14b4079b8557ccb3677b02eba2330fe7a067c769e

SHA512
4e7b44a4bad96b14948dbedc4964b71c8affaea7665148c6daf799014cdd34075047736705890866c6919e896d805700dcf88329ff7252c511f0581ce07b51da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe578e75.TMP

Filesize
48B

MD5
99b392cc1c3211c1b136a3bf7b6969d2

SHA1
3ec5b4a95dc20614e5981a487ff556c116ae5fa5

SHA256
8b8ebe12485ee96ecf86a0bba4d5cb2a2323308462f6199cc1e638928081afaf

SHA512
6090baa106ff54932a08ef59a144fc606eb6f6e163f32f6017748638085af7990aa9a28bbf866098dec22a8f1934ac34b6d4fd4633ef441b8f6c5921c1cc6c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
20e992a3b05e981b76a79411b1e4d8b6

SHA1
f9cc51f0de558963ee9f26edb9c0974dae3987d0

SHA256
18b4a0c0ee4405187bfce103e4fea11bbf490e74a2fad27bf3aec5af52c07da4

SHA512
f34ba4eb400af0812a4f920dcbd6a31d2c12bdcec1accbb8c71b71e25f390373673b4aad75fca056f93dcef9ec4bccc37dbcddf7838da27ce0d1612f186debb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
def51fc0cd94ab2ca35dbe82806209f4

SHA1
53cf0420d9f1e97a3ab0aeeb24d889fa7f4c1161

SHA256
c8f02139ee05973545f8c326d0dc406fe9bb71dc70ee88fdf68c4329b0ff5b04

SHA512
f6975af215d6e97e3ae2f2f7478786f99945860be511e2cdea65bafeb37ed8d0948021ff4732f3679932b0ee5a3e980b65ccda09ea6b7186072c98e25b1bc591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
01f11f5f292b6a28da62279cc8dc7707

SHA1
96e63ea8091d5828f232a5d2272f576e735f5c6a

SHA256
81011f445b58592451a693e0e72e7a0e84db8d26d89f9a105e10d401b9c657b7

SHA512
b96f2e9cc04fe1e152ac38b3aaf7977c62b3bf471d25a4140c343f64e6d164a165ed1703b497e2dfe90e2c1cb489668a17c63e1ed75498ab81289d27cc70dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
290eb87efb09acb80e2582972e5fb241

SHA1
0438639558d74ec1f7e41732318a8a7cc3ba933e

SHA256
45b8b51fb6ca2e6694c0ffff228474c2fa50245158f77d133492d4549ef135fd

SHA512
9050477662c5927c87e5fcf40e71401c4d705b62690aa958189933eeb6236c0faf616d8491c6afecb6a78ad1a38f1d964943c9e55a98ea711da1df0e4829ec94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9c27559f6165f67d2d251a497b3eb87f

SHA1
09c6274730c62b9972d6351b5ac3223c0bac79c2

SHA256
e1413263a97ec4d28686762c69ea99b29bbef22d3d3a2bbef71b306529956029

SHA512
1c0233660b98a9307dc9ffdfd045ba08772152ec0a600dfcff4973936ff58b929aa2757d90682b253c9c2984c5920d50460aca1aac22067cd246a19ff5eacde7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\00102fd0-7eb8-4565-8e24-f28eb44ef967\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\728a16e1-d778-4414-a1a4-098e8a7c6463\index-dir\the-real-index

Filesize
1KB

MD5
1ea98c27e7555f6e774e41d3d8e9de0f

SHA1
921bc93bd14403d9332b440021397f8591591378

SHA256
02a1e4c6bd6fd70d6582bab93fa440bcab50116795d413fe3b3196c69114d335

SHA512
110cb8572c66ac6be393c696d996c18b538928f3adc85b4836e3a7ca6d83ddbbfa2b731be862d16b5adddece5843667752bbc3e205292212feab99d06cc7f744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\728a16e1-d778-4414-a1a4-098e8a7c6463\index-dir\the-real-index~RFe571751.TMP

Filesize
48B

MD5
a40626be5fda1effffde12297f4c4549

SHA1
b677630bf0bfc59df04c60b9e4321881fc3b69f4

SHA256
eaee5ce7fdd084ec0fbe50f7504ab036422d8f579329dd657ab5f19613cef12b

SHA512
9290137871b132961dacc68c6f8b72a77380e7cd5ab0ea588710030ac64c7906b1f3f643cfb905f99ab59d1266287da7205edc0cc9b0e64a4b886255f040117c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c0873167-bec6-4290-8907-19ce0008d896\index-dir\the-real-index

Filesize
624B

MD5
5bb7364facdc1bca1368ac1c5d347a33

SHA1
355f840f639a2370624596b372a5f460a290ff00

SHA256
5a783b2cb3283a95c7c629842df05b17498f4bf08b0af1c2f8fa7ec934ac36c9

SHA512
e905926ca49b912dcd73e61a8ea74e38382cb4f0ac52196cae47e91eb3928a9206257170b282c7992af63fc494424803a9f5791e48e843615de23949b1eaae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c0873167-bec6-4290-8907-19ce0008d896\index-dir\the-real-index~RFe571ca0.TMP

Filesize
48B

MD5
602b0e8b3e80fea6706d9f31ed1764ec

SHA1
823380d1d362b7f2cbfb09ffbdca77aec4b50cd9

SHA256
32862796e968ef47993cf564dbe042b231da2d391c8a8b85b5740d627a1c66f7

SHA512
eb6dee54ca860ad72d35baa6d70b4d6e66db529948fe0b7b94b309d7d138295df6b300cdc8277178c20c3a661e29015507f0e75444103d45486037d74db667e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
80d5d2387aa02a977064a4fdeef81781

SHA1
52c0e952919937e8311be81a93ea2f0a6dd445f0

SHA256
7993a8b6067875637e0a43bc2beceec627c6abeaa8925675ffb0e657f9676fe4

SHA512
3c3b6ab06b3766aa40a81a06e462eed3bae4a9911360dd7288fb6d3fd1748df198e39520ea1c2dff00b416aa06b5df0c244a503d985a49015b9e4dd7f575852d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b0eb36a17e7fd0fe55584ea468369a31

SHA1
9ee61c3fbb83f4eb32828e07aa4c07bffa514c96

SHA256
ab2f2c657e5b34f4281a5df296be0c588a8166a9d9cf3272d51bcec706fdf184

SHA512
c7883914e89161a74c83e9a39618dd19a4a874c7e65a35129c78ef6fc19f47c14ead5b5fd1222944fc519a4910f0be70894b6762d117377d1e1f97e0e8a27d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
6c1c3f63a67699a6479a7f42439dc554

SHA1
ed832783026387fdbc546aa938d01f5859311e23

SHA256
88cda2a96c649dc65b684e608be0204d488435e42df5ebece43973b12ac79c59

SHA512
52d00c6c105d5ab48199168a4a5754fba61369cbcbc6b983ba5fe3895ec8b294045e74ea8380d70809857e4b1c3664525d2c48df5132db2db6ec8622e9112d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
eb05138141f23d3edb8dee2546cb13fa

SHA1
b1126369d53a5811db975a418cb41660fcaa5f52

SHA256
b2242733b7079c2980ea0e4d46ef6037e7948ead16832d4f29570fd40c239f31

SHA512
a07ccb07c76d4f2a07033570672bb4757c1f248f9c51bc6a03313768435068237c7d707080f13f4868926255c622a681c2f0c213dcaa5ab1dc6274ff4b3b41b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
2ac51a0e34bb09efa25bd0df722c5654

SHA1
b4a18319e02047a5c13c3f22267337b3b5f7d79c

SHA256
2b917929bdd2d6ba020c0a1d7fd1706ec654c12fac65fa9f116b01d12e344d10

SHA512
20498440c15942f2168c309abb6fe372c04324d07b11cdc6d173c4d3d517cc54cbdae99dd050da85f04c6cd44d7534f7792eacde791b205890b91352a11230ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
540194b20102ea77895109d45bfe3e3a

SHA1
3abb575748b53646a0378d2eb103605764ef2257

SHA256
8daea45c70a371ed49ea38c7b01364f40e8f303f7932c07f7de3621466199ef9

SHA512
b21ec9e5106d86837ddf985f0af41251ffa93a97a1593eb99b07398ce861f8131bc7bb83f575dcf68b8abbc5bf54f237d057799fee4b1aecd83e9de3002e4d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
3d9ed5920708bbe574522881579ace32

SHA1
1436b98e8ee9ee059d61057f3583b5300af4391c

SHA256
4e7572544b7e1e43c799d830ce79a36e8214a0285a6ef4263f5fed9710cdf28b

SHA512
29992281534bf6bb592c6d57c74a10bc605f4e0a75a77517c0d23cab787d0d4c830ad39b707cea4f3feeebc43675154dfba3157a0301bc6069a5afe2084de142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a03984d74803a36cea63e1be4a1955b5

SHA1
8250e380cb6f90cbb41206467a19c9ff3b233b51

SHA256
3c1ea636e303031ec3cc2ca2d2f5456bf13e8207d344168b7fffd717f2666faa

SHA512
6881613715e056055dfe407c17296c6ff39cc6fb9f560568cef9e7c930e20c02a7592225e5a946426d762a77deb4216fc25d4188dfff432cbac2bc816afd5508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe570b0c.TMP

Filesize
48B

MD5
30fe05cba4d54c921d239fef386a0d5e

SHA1
5853921d06fdf1230feec19003338faf3d2083e1

SHA256
d7488eeaf3cf276a793e3ea3fc45ac74a13834dcf02ddc760833993c35cb488a

SHA512
8b7265523c197f582b4b77a0382be753fc7d462ed82356f35d01d6348c68088565f9b0ae7de2843469153254325251aa7ba9114f9d7f11dd70587b21c8927a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64179c54c88b8ea70ad75340544a8c12

SHA1
882271c17624616808ab08f59244f7c8c2a202a6

SHA256
a643d9d678aa28e70d68d8df05c35381d19bf3e35beeb1673093ace93f144c04

SHA512
3038baaf5143a06cb434354956d6a998756cf8952b696a4d94fa82dd77fb2eae77280578bfce838322aa6f329c5a45dba89ed04622ce88364473a54c39421aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e649658501e305eeac92aafeace36d7

SHA1
54c5b0c4d5781909ecdf35ca08c91015736bee3c

SHA256
291b733255c1e7e15b2af122ddd92c091459ae482277199ba41682003927053a

SHA512
0159f621dbab0200b4b364bc61140208475ed5e1043d439b082203445769d89688aff52c74e58a68cfd57b97d5860826d2ccf6123b111418fe39dd49a527dcc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57032c.TMP

Filesize
1KB

MD5
e55ec698f1e951356f0ec2b4e93fd821

SHA1
b88c7600d3627a81a21ef135bd996ddc0f844edc

SHA256
06de2c322dda9c452be23b1be1988347bf5f54a6ae618b27e866a8af955be802

SHA512
201dd466badcea9607704b92f7c1e24a27d5b86ff8d9415e4cc30a449f2fb59612de57290f43e84aad89f490e79a4868d99ab0440253a6cf2208f9e91928f308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d623f37e3a0679feee047acea699a191

SHA1
1a3fb789a5c2151cbc7008108aa0505454d65b62

SHA256
8376ded20cdf5ef5dd3ed25c8e68ac9b0ec486493f2bd2af3b7558248dca77fc

SHA512
70dd4b43f56962ff0a3c15cd0790c6c5ec46c2399043f73c64756ca4acccf500839a0a75b5bb4a158396c523eb3be09bbf7a3b03ec4ac2fb65a7c513f6dcdbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d623f37e3a0679feee047acea699a191

SHA1
1a3fb789a5c2151cbc7008108aa0505454d65b62

SHA256
8376ded20cdf5ef5dd3ed25c8e68ac9b0ec486493f2bd2af3b7558248dca77fc

SHA512
70dd4b43f56962ff0a3c15cd0790c6c5ec46c2399043f73c64756ca4acccf500839a0a75b5bb4a158396c523eb3be09bbf7a3b03ec4ac2fb65a7c513f6dcdbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d623f37e3a0679feee047acea699a191

SHA1
1a3fb789a5c2151cbc7008108aa0505454d65b62

SHA256
8376ded20cdf5ef5dd3ed25c8e68ac9b0ec486493f2bd2af3b7558248dca77fc

SHA512
70dd4b43f56962ff0a3c15cd0790c6c5ec46c2399043f73c64756ca4acccf500839a0a75b5bb4a158396c523eb3be09bbf7a3b03ec4ac2fb65a7c513f6dcdbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
826c5ce69a51b0976c3361676ed7370d

SHA1
2d1c2103089e57bbf90f65ab8b854c149cb639f8

SHA256
52e31b67b7b17e0a5767642b25548cb7e82a95150996c4eb473612d6b3bfcba3

SHA512
e756b7c871232acbad281b9fff582cabb4717691b4b1548fb93ee2b35a77bc6b820aee2392e8b781f7622f26337bba1d6b19c03cdc3f460da127b3018cda5e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
826c5ce69a51b0976c3361676ed7370d

SHA1
2d1c2103089e57bbf90f65ab8b854c149cb639f8

SHA256
52e31b67b7b17e0a5767642b25548cb7e82a95150996c4eb473612d6b3bfcba3

SHA512
e756b7c871232acbad281b9fff582cabb4717691b4b1548fb93ee2b35a77bc6b820aee2392e8b781f7622f26337bba1d6b19c03cdc3f460da127b3018cda5e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
826c5ce69a51b0976c3361676ed7370d

SHA1
2d1c2103089e57bbf90f65ab8b854c149cb639f8

SHA256
52e31b67b7b17e0a5767642b25548cb7e82a95150996c4eb473612d6b3bfcba3

SHA512
e756b7c871232acbad281b9fff582cabb4717691b4b1548fb93ee2b35a77bc6b820aee2392e8b781f7622f26337bba1d6b19c03cdc3f460da127b3018cda5e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d623f37e3a0679feee047acea699a191

SHA1
1a3fb789a5c2151cbc7008108aa0505454d65b62

SHA256
8376ded20cdf5ef5dd3ed25c8e68ac9b0ec486493f2bd2af3b7558248dca77fc

SHA512
70dd4b43f56962ff0a3c15cd0790c6c5ec46c2399043f73c64756ca4acccf500839a0a75b5bb4a158396c523eb3be09bbf7a3b03ec4ac2fb65a7c513f6dcdbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d623f37e3a0679feee047acea699a191

SHA1
1a3fb789a5c2151cbc7008108aa0505454d65b62

SHA256
8376ded20cdf5ef5dd3ed25c8e68ac9b0ec486493f2bd2af3b7558248dca77fc

SHA512
70dd4b43f56962ff0a3c15cd0790c6c5ec46c2399043f73c64756ca4acccf500839a0a75b5bb4a158396c523eb3be09bbf7a3b03ec4ac2fb65a7c513f6dcdbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bae1df63600f018b60c90f8d0e0c3c55

SHA1
4aa07b54cf05e6b745996f997d7d8e585df0f173

SHA256
211b9150b9e350290b60be816f178c2a6cbbfb72a02584e932eca8908a378ffa

SHA512
2eae2a9735488e5b283bf930681c54b19f08400e67ada1b4bafbe2491676fc258237ea4c45b6e87067619520807eff370c99e38237f3261ea7f4e2f02940fd52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
5e58f735fcdb828c12360ea1825d6801

SHA1
360e99ac92dae13490de49ce088eba16611a6773

SHA256
74d764fc030d35349d52f2de0f4c54525b13150c0ea67e71e18699601b372bea

SHA512
e3c0d59f9859eebb5021dc03a8f3137fa1127268eb5c350991786cf2fabaea990a456a0a8c3a4cae778ca116a0903d94e1c6ba0411561110e610bf0272ea49e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
943da77ba75f7176aa744191cff71047

SHA1
ad5d1511e969fee0dd52a137f758002ca5c619e8

SHA256
5b39a8e54d1d8022e981033398269e1a37115a89049d1af72218c41da1d894a4

SHA512
7a618e2a68bb6d9d4c9b117f2cded9db5f929bafc3011de3e9c4708933f3f715ff54a34393bdcc48864a6aca8309cf04886644acd82dbcac894c7e994ab21f16

Download Submit
memory/3284-134-0x0000000027100000-0x0000000027101000-memory.dmp

Filesize
4KB

Download
memory/4848-133-0x0000000016900000-0x0000000016901000-memory.dmp

Filesize
4KB

Download