xtremerat | 312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d

Analysis

max time kernel
81s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca38e573543038958bfac0734582d86.exe
Size

101KB
MD5

cca38e573543038958bfac0734582d86
SHA1

03caa3e2162c48a8415a9790e8f7c8811e1fb7d0
SHA256

312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d
SHA512

83af9319e2da7893ce0d98e8da9e9fb63778f6c2d6358bdfc5a7b6542670517a59eecc2da1ffc2e80a810952e1d1cf59aa1b579c8b6c1902a6c90cffbdab83a2
SSDEEP

1536:bNPB7mZMvoXGQysjHFq5ofXMEGUHGWkuZoHwdzE95s7xhRoV3qpdHDd:bNPB7JvDQzzQ5G8EGUxNeMiV3gdHZ

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral2/memory/456-8-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/456-7-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4680-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/456-18-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4488-27-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4488-34-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4380-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4380-68-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3128-75-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/816-83-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1776-94-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4912-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3792-110-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2228-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/816-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1776-132-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3152-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5044-145-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3152-147-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4824-156-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3792-159-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2228-171-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4500-182-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5044-201-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/648-207-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4500-212-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4824-219-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5364-234-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3548-239-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5504-247-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/648-253-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5668-261-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5936-273-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5232-274-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6056-284-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5364-288-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4500-295-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5504-299-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5324-306-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5668-310-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5732-317-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5936-323-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5136-330-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5492-338-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6056-344-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1708-349-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4500-353-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5956-360-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5324-364-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2608-371-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5732-375-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6128-383-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5136-387-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5532-394-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5492-398-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6212-405-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1708-409-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5956-419-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6500-426-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2608-430-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6128-440-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5532-459-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/7148-466-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/6212-470-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cca38e573543038958bfac0734582d86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 64 IoCs

pid	Process
3520	lsass.exe
4488	lsass.exe
2964	lsass.exe
5032	lsass.exe
4380	lsass.exe
3128	lsass.exe
3548	lsass.exe
4912	lsass.exe
1464	lsass.exe
184	lsass.exe
816	lsass.exe
1776	lsass.exe
1240	lsass.exe
3792	lsass.exe
648	lsass.exe
2228	lsass.exe
1844	lsass.exe
4624	lsass.exe
3152	lsass.exe
5044	lsass.exe
816	lsass.exe
4824	lsass.exe
720	lsass.exe
3548	lsass.exe
2976	lsass.exe
4500	lsass.exe
5080	lsass.exe
648	lsass.exe
5196	lsass.exe
5240	lsass.exe
5232	lsass.exe
5364	lsass.exe
5464	lsass.exe
5504	lsass.exe
5620	lsass.exe
5668	lsass.exe
5892	lsass.exe
5936	lsass.exe
5988	lsass.exe
6056	lsass.exe
6128	lsass.exe
4500	lsass.exe
5408	lsass.exe
5324	lsass.exe
5640	lsass.exe
5732	lsass.exe
5992	lsass.exe
2608	lsass.exe
5136	lsass.exe
5492	lsass.exe
5176	lsass.exe
1708	lsass.exe
5144	lsass.exe
5956	lsass.exe
5424	lsass.exe
2608	lsass.exe
4500	lsass.exe
6128	lsass.exe
5400	lsass.exe
5532	lsass.exe
6176	lsass.exe
6212	lsass.exe
6300	lsass.exe
6344	lsass.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/456-4-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/456-6-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/456-8-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/456-7-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4680-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/456-18-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4488-25-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4488-27-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4488-34-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4380-43-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4380-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4380-68-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3128-75-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/816-83-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1776-94-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4912-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3792-110-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2228-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/816-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1776-132-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3152-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5044-145-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3152-147-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4824-156-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3792-159-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2228-171-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4500-182-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5044-201-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/648-207-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4500-212-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4824-219-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5364-234-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3548-239-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5504-247-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/648-253-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5668-261-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5936-273-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5232-274-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/6056-284-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5364-288-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4500-295-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5504-299-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5324-306-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5668-310-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5732-317-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5936-323-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5136-330-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5492-338-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/6056-344-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1708-349-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4500-353-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5956-360-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5324-364-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2608-371-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5732-375-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/6128-383-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5136-387-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5532-394-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5492-398-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/6212-405-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1708-409-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5956-419-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/6500-426-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2608-430-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 3520 set thread context of 4488	3520	lsass.exe	110
PID 2964 set thread context of 4380	2964	lsass.exe	122
PID 5032 set thread context of 3128	5032	lsass.exe	123
PID 3548 set thread context of 4912	3548	lsass.exe	143
PID 1464 set thread context of 816	1464	lsass.exe	147
PID 184 set thread context of 1776	184	lsass.exe	149
PID 1240 set thread context of 3792	1240	lsass.exe	172
PID 648 set thread context of 2228	648	lsass.exe	176
PID 1844 set thread context of 3152	1844	lsass.exe	180
PID 4624 set thread context of 5044	4624	lsass.exe	182
PID 816 set thread context of 4824	816	lsass.exe	209
PID 720 set thread context of 3548	720	lsass.exe	212
PID 2976 set thread context of 4500	2976	lsass.exe	216
PID 5080 set thread context of 648	5080	lsass.exe	223
PID 5196 set thread context of 5232	5196	lsass.exe	245
PID 5240 set thread context of 5364	5240	lsass.exe	249
PID 5464 set thread context of 5504	5464	lsass.exe	255
PID 5620 set thread context of 5668	5620	lsass.exe	263
PID 5892 set thread context of 5936	5892	lsass.exe	283
PID 5988 set thread context of 6056	5988	lsass.exe	287
PID 6128 set thread context of 4500	6128	lsass.exe	292
PID 5408 set thread context of 5324	5408	lsass.exe	300
PID 5640 set thread context of 5732	5640	lsass.exe	310
PID 5992 set thread context of 5136	5992	lsass.exe	333
PID 2608 set thread context of 5492	2608	lsass.exe	338
PID 5176 set thread context of 1708	5176	lsass.exe	341
PID 5144 set thread context of 5956	5144	lsass.exe	348
PID 5424 set thread context of 2608	5424	lsass.exe	357
PID 4500 set thread context of 6128	4500	lsass.exe	368
PID 5400 set thread context of 5532	5400	lsass.exe	389
PID 6176 set thread context of 6212	6176	lsass.exe	394
PID 6300 set thread context of 6344	6300	lsass.exe	400
PID 6432 set thread context of 6500	6432	lsass.exe	409
PID 6588 set thread context of 6676	6588	lsass.exe	420
PID 6752 set thread context of 6804	6752	lsass.exe	428
PID 6972 set thread context of 7016	6972	lsass.exe	444
PID 7112 set thread context of 7148	7112	lsass.exe	450
PID 464 set thread context of 6292	464	lsass.exe	457
PID 5724 set thread context of 6288	5724	lsass.exe	462
PID 6488 set thread context of 6708	6488	lsass.exe	478
PID 6772 set thread context of 6976	6772	lsass.exe	486
PID 6192 set thread context of 6196	6192	lsass.exe	498
PID 6324 set thread context of 6436	6324	lsass.exe	511
PID 6732 set thread context of 6692	6732	lsass.exe	517
PID 6216 set thread context of 6236	6216	lsass.exe	525
PID 7032 set thread context of 5180	7032	lsass.exe	532
PID 6312 set thread context of 6324	6312	lsass.exe	549
PID 1692 set thread context of 6364	1692	lsass.exe	555
PID 3388 set thread context of 6956	3388	lsass.exe	569
PID 7176 set thread context of 7216	7176	lsass.exe	577
PID 7244 set thread context of 7356	7244	lsass.exe	694
PID 7460 set thread context of 7496	7460	lsass.exe	703
PID 7588 set thread context of 7648	7588	lsass.exe	722
PID 7756 set thread context of 7816	7756	lsass.exe	607
PID 8064 set thread context of 8104	8064	lsass.exe	726
PID 8128 set thread context of 6664	8128	lsass.exe	632
PID 7468 set thread context of 2772	7468	lsass.exe	798
PID 6192 set thread context of 6756	6192	lsass.exe	654
PID 7692 set thread context of 7872	7692	lsass.exe	915
PID 6872 set thread context of 6324	6872	lsass.exe	665
PID 7164 set thread context of 7176	7164	lsass.exe	674
PID 7596 set thread context of 7528	7596	lsass.exe	916
PID 228 set thread context of 4540	228	lsass.exe	695

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File created	C:\Windows\Cftmon\lsass.exe	cca38e573543038958bfac0734582d86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cca38e573543038958bfac0734582d86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4964	cca38e573543038958bfac0734582d86.exe
3520	lsass.exe
2964	lsass.exe
5032	lsass.exe
3548	lsass.exe
1464	lsass.exe
184	lsass.exe
1240	lsass.exe
648	lsass.exe
1844	lsass.exe
4624	lsass.exe
816	lsass.exe
720	lsass.exe
2976	lsass.exe
5080	lsass.exe
5196	lsass.exe
5240	lsass.exe
5464	lsass.exe
5620	lsass.exe
5892	lsass.exe
5988	lsass.exe
6128	lsass.exe
5408	lsass.exe
5640	lsass.exe
5992	lsass.exe
2608	lsass.exe
5176	lsass.exe
5144	lsass.exe
5424	lsass.exe
4500	lsass.exe
5400	lsass.exe
6176	lsass.exe
6300	lsass.exe
6432	lsass.exe
6588	lsass.exe
6752	lsass.exe
6972	lsass.exe
7112	lsass.exe
464	lsass.exe
5724	lsass.exe
6488	lsass.exe
6772	lsass.exe
6192	lsass.exe
6324	lsass.exe
6732	lsass.exe
6216	lsass.exe
7032	lsass.exe
6312	lsass.exe
1692	lsass.exe
3388	lsass.exe
7176	lsass.exe
7244	lsass.exe
7460	lsass.exe
7588	lsass.exe
7756	lsass.exe
8064	lsass.exe
8128	lsass.exe
7468	lsass.exe
6192	lsass.exe
7692	lsass.exe
6872	lsass.exe
7164	lsass.exe
7596	lsass.exe
228	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 4964 wrote to memory of 456	4964	cca38e573543038958bfac0734582d86.exe	89
PID 456 wrote to memory of 4680	456	cca38e573543038958bfac0734582d86.exe	92
PID 456 wrote to memory of 4680	456	cca38e573543038958bfac0734582d86.exe	92
PID 456 wrote to memory of 4680	456	cca38e573543038958bfac0734582d86.exe	92
PID 456 wrote to memory of 4680	456	cca38e573543038958bfac0734582d86.exe	92
PID 456 wrote to memory of 2688	456	cca38e573543038958bfac0734582d86.exe	94
PID 456 wrote to memory of 2688	456	cca38e573543038958bfac0734582d86.exe	94
PID 456 wrote to memory of 2688	456	cca38e573543038958bfac0734582d86.exe	94
PID 456 wrote to memory of 1988	456	cca38e573543038958bfac0734582d86.exe	95
PID 456 wrote to memory of 1988	456	cca38e573543038958bfac0734582d86.exe	95
PID 456 wrote to memory of 1988	456	cca38e573543038958bfac0734582d86.exe	95
PID 456 wrote to memory of 2600	456	cca38e573543038958bfac0734582d86.exe	97
PID 456 wrote to memory of 2600	456	cca38e573543038958bfac0734582d86.exe	97
PID 456 wrote to memory of 2600	456	cca38e573543038958bfac0734582d86.exe	97
PID 456 wrote to memory of 1812	456	cca38e573543038958bfac0734582d86.exe	98
PID 456 wrote to memory of 1812	456	cca38e573543038958bfac0734582d86.exe	98
PID 456 wrote to memory of 1812	456	cca38e573543038958bfac0734582d86.exe	98
PID 456 wrote to memory of 768	456	cca38e573543038958bfac0734582d86.exe	99
PID 456 wrote to memory of 768	456	cca38e573543038958bfac0734582d86.exe	99
PID 456 wrote to memory of 768	456	cca38e573543038958bfac0734582d86.exe	99
PID 456 wrote to memory of 2376	456	cca38e573543038958bfac0734582d86.exe	100
PID 456 wrote to memory of 2376	456	cca38e573543038958bfac0734582d86.exe	100
PID 456 wrote to memory of 2376	456	cca38e573543038958bfac0734582d86.exe	100
PID 456 wrote to memory of 4308	456	cca38e573543038958bfac0734582d86.exe	102
PID 456 wrote to memory of 4308	456	cca38e573543038958bfac0734582d86.exe	102
PID 456 wrote to memory of 4308	456	cca38e573543038958bfac0734582d86.exe	102
PID 456 wrote to memory of 1876	456	cca38e573543038958bfac0734582d86.exe	106
PID 456 wrote to memory of 1876	456	cca38e573543038958bfac0734582d86.exe	106
PID 456 wrote to memory of 3520	456	cca38e573543038958bfac0734582d86.exe	109
PID 456 wrote to memory of 3520	456	cca38e573543038958bfac0734582d86.exe	109
PID 456 wrote to memory of 3520	456	cca38e573543038958bfac0734582d86.exe	109
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 3520 wrote to memory of 4488	3520	lsass.exe	110
PID 4488 wrote to memory of 5052	4488	lsass.exe	111
PID 4488 wrote to memory of 5052	4488	lsass.exe	111
PID 4488 wrote to memory of 5052	4488	lsass.exe	111
PID 4488 wrote to memory of 1916	4488	lsass.exe	112
PID 4488 wrote to memory of 1916	4488	lsass.exe	112
PID 4488 wrote to memory of 1916	4488	lsass.exe	112
PID 4488 wrote to memory of 3428	4488	lsass.exe	113
PID 4488 wrote to memory of 3428	4488	lsass.exe	113
PID 4488 wrote to memory of 3428	4488	lsass.exe	113
PID 4488 wrote to memory of 4648	4488	lsass.exe	114
PID 4488 wrote to memory of 4648	4488	lsass.exe	114
PID 4488 wrote to memory of 4648	4488	lsass.exe	114
PID 4488 wrote to memory of 2828	4488	lsass.exe	116
PID 4488 wrote to memory of 2828	4488	lsass.exe	116
PID 4488 wrote to memory of 2828	4488	lsass.exe	116
PID 4488 wrote to memory of 5036	4488	lsass.exe	117
PID 4488 wrote to memory of 5036	4488	lsass.exe	117
PID 4488 wrote to memory of 5036	4488	lsass.exe	117

C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe
"C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe
  "C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Modifies registry class
    PID:4680
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5032
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:3128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1548
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:184
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:1776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3992
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3164
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5520
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5620
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1492
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5640
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5192
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:6128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6628
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6752
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:5492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7040
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6192
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        
        PID:6196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:5540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6316
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:6956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7264
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7468
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        25⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:4672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:7660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:6508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:6872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:7664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:7184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:7696
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        26⤵
        Drops file in Windows directory
        
        PID:8236
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        27⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:8360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:8872
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        28⤵
        
        PID:9136
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        29⤵
        Drops file in Windows directory
        
        PID:7656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:8480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:8096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:9020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:7528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:9384
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        30⤵
        
        PID:9684
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        31⤵
        
        PID:9792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:9896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:10184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:9404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:9836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:10032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:10140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:9992
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        32⤵
        
        PID:10224
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        33⤵
        
        PID:8248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        34⤵
        
        PID:9976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        34⤵
        
        PID:10468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        34⤵
        
        PID:10612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        34⤵
        
        PID:10752
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3548
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3628
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2480
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:220
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1240
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:3792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4676
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:720
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5272
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Modifies registry class
        
        PID:5504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5220
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5408
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2072
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5424
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6468
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6588
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6056
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6772
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7036
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8024
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:8128
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        Modifies Installed Components in the registry
        
        PID:6664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6956
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        
        PID:7236
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:5328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7296
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        24⤵
        
        PID:8504
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        25⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:8052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:9036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8384
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        26⤵
        
        PID:4516
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        27⤵
        
        PID:8172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:10084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9960
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        28⤵
        
        PID:8212
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        29⤵
        
        PID:9660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:9004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:9752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:10428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:10596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:10728
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:816
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5168
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5240
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5920
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6128
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5504
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5144
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6240
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6432
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2564
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6488
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:6708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6732
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6312
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7956
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:8064
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        
        PID:8104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7516
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:4796
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:7596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9204
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        Drops file in Windows directory
        
        PID:8212
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:6372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:1136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9072
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        24⤵
        
        PID:3896
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        25⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:4464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:9412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:9756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:10092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:9408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:8756
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        26⤵
        
        PID:9948
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        27⤵
        
        PID:9936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:10172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:7996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:9260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:10308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:10548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:10660
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5196
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5864
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5988
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6104
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5176
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4364
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6300
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:6344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4500
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5724
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7120
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7032
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7544
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:7756
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7624
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:228
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:4540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9100
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:8208
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:3420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8584
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        
        PID:6192
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:8212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:2840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:10048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8932
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:5892
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:5936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5292
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:5492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5256
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6176
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:6212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7044
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6488
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6216
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7428
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7588
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:7648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4884
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7596
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8784
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        
        PID:8932
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:8992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:2232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9080
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:8336
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        
        PID:1088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:10068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9380
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        
        PID:9640
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        
        PID:9720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:10208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:10000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:7656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:10348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:10556
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        24⤵
        
        PID:10696
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5992
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5216
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5400
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:5532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6940
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:7112
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6304
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6732
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7272
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7460
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies registry class
        
        PID:7496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4344
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:7164
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Modifies registry class
        
        PID:7176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8604
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        
        PID:8736
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:8844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8696
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        
        PID:8392
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:8152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9852
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        
        PID:10104
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        
        PID:10200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9948
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:9768
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        
        PID:10292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:10404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:10564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:10680
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:6972
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:7016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6252
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:6324
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        
        PID:6436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6784
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7244
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:7356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7636
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6872
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8372
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        
        PID:8656
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:8708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Drops file in Windows directory
        
        PID:4464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:7784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9912
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        
        PID:10152
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        
        PID:10228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5380
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        
        PID:10356
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        
        PID:10436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:10520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:10636
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:7176
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:7216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6692
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:7692
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:7872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7148
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:8400
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8952
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        
        PID:8336
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Adds Run key to start application
        
        PID:8688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9576
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        
        PID:9824
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        
        PID:9976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9360
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        
        PID:9556
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        
        PID:9932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:10284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:10532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:10644
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:6192
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:6756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5584
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:8304
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:8448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8916
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:1136
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:7252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9488
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        
        PID:9764
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        
        PID:9864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:10036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9272
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        
        PID:9820
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        
        PID:9516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10744
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Drops file in Windows directory
      PID:5472
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8780
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:7124
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        
        PID:5644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9248
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:9400
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        
        PID:9568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:10076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9696
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        
        PID:2568
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        
        PID:7784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:10144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:10420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:10604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:10720
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:8888
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Drops file in Windows directory
        
        PID:8836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3720
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:9312
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:9460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:10108
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:8200
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        
        PID:8172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:10008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:10412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:10588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:10688
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:8732
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:9360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:10192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:10016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2340
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:620
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:9764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:10316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:10540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:10652
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:10224
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:10104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:10248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:10484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:10628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1876
- - C:\Windows\Cftmon\lsass.exe
    "C:\Windows\Cftmon\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:776
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2964
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1016
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Executes dropped EXE
        
        PID:816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1808
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983155329-280873152-1838004294-1000\88603cb2913a7df3fbd16b5f958e6447_d1f2fdfb-e063-43be-88aa-b9b0326295b4

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\fs6qeW.cfg

Filesize
1KB

MD5
db9e658207adfe772bd1272abfdeb769

SHA1
20f05518d4a5bdf7559dfee97bb1a36a32ab8f8f

SHA256
b1cb4b5a3e6d7fc78361b8cc2a79ea7e9a7b5b1f0cd0a514fa1e79923452f7f6

SHA512
5678d404b1f8a025dad2a7652e191099716772d6e3c5651154c3597d3e8b23b1a893b138b6e5185626f81a54b909759dc9e154c7450cc605fea16fc7713d5af0

Download Submit
C:\Windows\Cftmon\lsass.exe

Filesize
101KB

MD5
cca38e573543038958bfac0734582d86

SHA1
03caa3e2162c48a8415a9790e8f7c8811e1fb7d0

SHA256
312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d

SHA512
83af9319e2da7893ce0d98e8da9e9fb63778f6c2d6358bdfc5a7b6542670517a59eecc2da1ffc2e80a810952e1d1cf59aa1b579c8b6c1902a6c90cffbdab83a2

Download Submit
memory/184-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/456-8-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/456-7-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/456-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/456-18-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/648-253-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/648-207-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/648-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/720-173-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/816-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/816-83-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/816-126-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1240-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-84-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1708-409-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1708-349-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1776-132-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1776-94-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1844-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-171-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2228-120-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2608-371-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2608-430-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2964-50-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3128-75-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3152-138-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3152-147-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3520-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3548-239-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3548-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3792-110-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3792-159-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4380-68-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4380-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4380-43-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4488-34-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4488-27-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4488-25-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4500-182-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4500-212-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4500-353-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4500-295-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4624-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-15-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4824-156-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4824-219-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4912-108-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4964-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5032-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-201-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5044-145-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5136-387-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5136-330-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5232-274-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5324-364-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5324-306-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5364-234-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5364-288-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5492-338-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5492-398-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5504-299-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5504-247-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5532-394-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5532-459-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5668-310-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5668-261-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5732-375-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5732-317-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5936-273-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5936-323-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5956-360-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5956-419-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6056-344-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6056-284-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6128-383-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6128-440-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6212-405-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6212-470-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6292-477-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6344-482-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/6500-426-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/7148-466-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads