orcus | 0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
Size

3.0MB
MD5

56c65d591a8774932454d819af7d199b
SHA1

6368acc0182b686bfef8f4d8c63d84c1ad191235
SHA256

0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc
SHA512

cd584661f78601979267120e3f702beff8259947886f11045695de48a1c3c7731d131d6f800a1193f10783a65d596cb279b970ada242833bbeb1917949444a0a
SSDEEP

49152:gYwN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmCWncFf0I74gu39Ms:g/0wGGzBjryX82uypSb9ndo9JCmV

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.100.3:4444

Mutex

385cbca3ba9444dc92ca47ce9ac1e3d9

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
C:\Windows\System32\edge.exe
reconnect_delay
10000
registry_keyname
Defender
taskscheduler_taskname
system
watchdog_path
Temp\msedge.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/4052-1-0x0000014478D20000-0x000001447902E000-memory.dmp	orcus
behavioral2/files/0x0007000000023464-35.dat	orcus

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	WindowsInput.exe
2376	WindowsInput.exe
1552	edge.exe
408	edge.exe
1840	msedge.exe
5080	msedge.exe
1804	msedge.exe
2088	msedge.exe
4808	msedge.exe
4156	msedge.exe
2472	msedge.exe
4992	msedge.exe
972	msedge.exe
4440	msedge.exe
4852	msedge.exe
2880	msedge.exe
3528	msedge.exe
2660	msedge.exe
4236	msedge.exe
5116	msedge.exe
1804	msedge.exe
944	msedge.exe
4408	msedge.exe
3608	msedge.exe
2144	msedge.exe
1164	msedge.exe
4568	msedge.exe
2704	msedge.exe
3064	msedge.exe
1932	msedge.exe
3380	msedge.exe
5116	msedge.exe
4556	msedge.exe
212	msedge.exe
1168	msedge.exe
2700	msedge.exe
3916	msedge.exe
4884	msedge.exe
5096	msedge.exe
1200	msedge.exe
4412	msedge.exe
3548	msedge.exe
4640	msedge.exe
1472	msedge.exe
2080	msedge.exe
2888	msedge.exe
4452	msedge.exe
1616	msedge.exe
928	msedge.exe
3984	msedge.exe
1192	msedge.exe
1164	msedge.exe
2536	msedge.exe
5032	msedge.exe
5104	msedge.exe
3808	msedge.exe
4792	msedge.exe
3684	msedge.exe
2088	msedge.exe
4156	msedge.exe
3428	msedge.exe
2876	msedge.exe
3052	msedge.exe
1896	msedge.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\System32\edge.exe	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
File opened for modification	C:\Windows\System32\edge.exe	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
File created	C:\Windows\System32\edge.exe.config	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1008	5080	WerFault.exe	92
1652	2088	WerFault.exe	97
4064	4156	WerFault.exe
3628	4992	WerFault.exe	106
1420	4440	WerFault.exe
3624	2880	WerFault.exe	116
4140	2660	WerFault.exe	120
1060	5116	WerFault.exe	126
1172	944	WerFault.exe	131
4456	3608	WerFault.exe	135
4372	1164	WerFault.exe	140
2040	2704	WerFault.exe	144
5112	1932	WerFault.exe	148
3492	5116	WerFault.exe	152
3460	212	WerFault.exe	157
3336	2700	WerFault.exe	161
4836	4884	WerFault.exe	165
4612	1200	WerFault.exe	169
4460	3548	WerFault.exe	173
5112	1472	WerFault.exe	177
3744	2888	WerFault.exe
1168	1616	WerFault.exe	187
5084	3984	WerFault.exe	104
2880	1164	WerFault.exe	140
424	5032	WerFault.exe
2920	3808	WerFault.exe
4648	3684	WerFault.exe	128
4456	4156	WerFault.exe	211
2188	2876	WerFault.exe
1432	1896	WerFault.exe
3488	3904	WerFault.exe
1468	1004	WerFault.exe
3392	2640	WerFault.exe	231
1932	1472	WerFault.exe	235
2308	2888	WerFault.exe	239
2876	384	WerFault.exe	243
4632	372	WerFault.exe	139
3904	4452	WerFault.exe	251
4312	4552	WerFault.exe	255
5096	396	WerFault.exe
5100	968	WerFault.exe	263
4268	368	WerFault.exe
3064	4568	WerFault.exe	271
4196	3948	WerFault.exe	275
2292	4412	WerFault.exe	172
4896	620	WerFault.exe	283
4916	1904	WerFault.exe	200
4920	3736	WerFault.exe	291
3684	5080	WerFault.exe	295
1152	2988	WerFault.exe
3984	4568	WerFault.exe	303
4716	4816	WerFault.exe	307
3304	928	WerFault.exe	190
1192	4052	WerFault.exe	315
2172	2692	WerFault.exe	319
3936	3988	WerFault.exe	323
2308	1172	WerFault.exe	327
4468	4580	WerFault.exe
4836	5084	WerFault.exe	335
4140	2924	WerFault.exe	85
2656	3304	WerFault.exe	313
2128	2280	WerFault.exe	347
2284	2088	WerFault.exe	351
2888	2040	WerFault.exe	146

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe
1552	edge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1552	edge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	msedge.exe
Token: SeDebugPrivilege	1552	edge.exe
Token: SeDebugPrivilege	1804	msedge.exe
Token: SeDebugPrivilege	4808	msedge.exe
Token: SeDebugPrivilege	2472	msedge.exe
Token: SeDebugPrivilege	972	msedge.exe
Token: SeDebugPrivilege	4852	msedge.exe
Token: SeDebugPrivilege	3528	msedge.exe
Token: SeDebugPrivilege	4236	msedge.exe
Token: SeDebugPrivilege	1804	msedge.exe
Token: SeDebugPrivilege	4408	msedge.exe
Token: SeDebugPrivilege	2144	msedge.exe
Token: SeDebugPrivilege	4568	msedge.exe
Token: SeDebugPrivilege	3064	msedge.exe
Token: SeDebugPrivilege	3380	msedge.exe
Token: SeDebugPrivilege	4556	msedge.exe
Token: SeDebugPrivilege	1168	msedge.exe
Token: SeDebugPrivilege	3916	msedge.exe
Token: SeDebugPrivilege	5096	msedge.exe
Token: SeDebugPrivilege	4412	msedge.exe
Token: SeDebugPrivilege	4640	msedge.exe
Token: SeDebugPrivilege	2080	msedge.exe
Token: SeDebugPrivilege	4452	msedge.exe
Token: SeDebugPrivilege	928	msedge.exe
Token: SeDebugPrivilege	1192	msedge.exe
Token: SeDebugPrivilege	2536	msedge.exe
Token: SeDebugPrivilege	5104	msedge.exe
Token: SeDebugPrivilege	4792	msedge.exe
Token: SeDebugPrivilege	2088	msedge.exe
Token: SeDebugPrivilege	3428	msedge.exe
Token: SeDebugPrivilege	3052	msedge.exe
Token: SeDebugPrivilege	3920	msedge.exe
Token: SeDebugPrivilege	5096	msedge.exe
Token: SeDebugPrivilege	2128	msedge.exe
Token: SeDebugPrivilege	60	msedge.exe
Token: SeDebugPrivilege	2952	msedge.exe
Token: SeDebugPrivilege	400	msedge.exe
Token: SeDebugPrivilege	5060	msedge.exe
Token: SeDebugPrivilege	4916	msedge.exe
Token: SeDebugPrivilege	4640	msedge.exe
Token: SeDebugPrivilege	5008	msedge.exe
Token: SeDebugPrivilege	2920	msedge.exe
Token: SeDebugPrivilege	2456	msedge.exe
Token: SeDebugPrivilege	4468	msedge.exe
Token: SeDebugPrivilege	4148	msedge.exe
Token: SeDebugPrivilege	1432	msedge.exe
Token: SeDebugPrivilege	716	msedge.exe
Token: SeDebugPrivilege	3788	msedge.exe
Token: SeDebugPrivilege	5104	msedge.exe
Token: SeDebugPrivilege	4376	msedge.exe
Token: SeDebugPrivilege	748	msedge.exe
Token: SeDebugPrivilege	4428	msedge.exe
Token: SeDebugPrivilege	4512	msedge.exe
Token: SeDebugPrivilege	2080	msedge.exe
Token: SeDebugPrivilege	3924	msedge.exe
Token: SeDebugPrivilege	1260	msedge.exe
Token: SeDebugPrivilege	3048	msedge.exe
Token: SeDebugPrivilege	2120	msedge.exe
Token: SeDebugPrivilege	2056	msedge.exe
Token: SeDebugPrivilege	1100	msedge.exe
Token: SeDebugPrivilege	2880	msedge.exe
Token: SeDebugPrivilege	4452	msedge.exe
Token: SeDebugPrivilege	1004	msedge.exe
Token: SeDebugPrivilege	2824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2924	4052	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe	85
PID 4052 wrote to memory of 2924	4052	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe	85
PID 4052 wrote to memory of 1552	4052	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe	89
PID 4052 wrote to memory of 1552	4052	0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe	89
PID 1552 wrote to memory of 1840	1552	edge.exe	91
PID 1552 wrote to memory of 1840	1552	edge.exe	91
PID 1552 wrote to memory of 1840	1552	edge.exe	91
PID 1840 wrote to memory of 5080	1840	msedge.exe	92
PID 1840 wrote to memory of 5080	1840	msedge.exe	92
PID 1840 wrote to memory of 5080	1840	msedge.exe	92
PID 1552 wrote to memory of 1804	1552	edge.exe	158
PID 1552 wrote to memory of 1804	1552	edge.exe	158
PID 1552 wrote to memory of 1804	1552	edge.exe	158
PID 1804 wrote to memory of 2088	1804	msedge.exe	97
PID 1804 wrote to memory of 2088	1804	msedge.exe	97
PID 1804 wrote to memory of 2088	1804	msedge.exe	97
PID 1552 wrote to memory of 4808	1552	edge.exe	100
PID 1552 wrote to memory of 4808	1552	edge.exe	100
PID 1552 wrote to memory of 4808	1552	edge.exe	100
PID 4808 wrote to memory of 4156	4808	msedge.exe	101
PID 4808 wrote to memory of 4156	4808	msedge.exe	101
PID 4808 wrote to memory of 4156	4808	msedge.exe	101
PID 1552 wrote to memory of 2472	1552	edge.exe	105
PID 1552 wrote to memory of 2472	1552	edge.exe	105
PID 1552 wrote to memory of 2472	1552	edge.exe	105
PID 2472 wrote to memory of 4992	2472	msedge.exe	106
PID 2472 wrote to memory of 4992	2472	msedge.exe	106
PID 2472 wrote to memory of 4992	2472	msedge.exe	106
PID 1552 wrote to memory of 972	1552	edge.exe	111
PID 1552 wrote to memory of 972	1552	edge.exe	111
PID 1552 wrote to memory of 972	1552	edge.exe	111
PID 972 wrote to memory of 4440	972	msedge.exe	112
PID 972 wrote to memory of 4440	972	msedge.exe	112
PID 972 wrote to memory of 4440	972	msedge.exe	112
PID 1552 wrote to memory of 4852	1552	edge.exe	115
PID 1552 wrote to memory of 4852	1552	edge.exe	115
PID 1552 wrote to memory of 4852	1552	edge.exe	115
PID 4852 wrote to memory of 2880	4852	msedge.exe	338
PID 4852 wrote to memory of 2880	4852	msedge.exe	338
PID 4852 wrote to memory of 2880	4852	msedge.exe	338
PID 1552 wrote to memory of 3528	1552	edge.exe	119
PID 1552 wrote to memory of 3528	1552	edge.exe	119
PID 1552 wrote to memory of 3528	1552	edge.exe	119
PID 3528 wrote to memory of 2660	3528	msedge.exe	120
PID 3528 wrote to memory of 2660	3528	msedge.exe	120
PID 3528 wrote to memory of 2660	3528	msedge.exe	120
PID 1552 wrote to memory of 4236	1552	edge.exe	123
PID 1552 wrote to memory of 4236	1552	edge.exe	123
PID 1552 wrote to memory of 4236	1552	edge.exe	123
PID 4236 wrote to memory of 5116	4236	msedge.exe	152
PID 4236 wrote to memory of 5116	4236	msedge.exe	152
PID 4236 wrote to memory of 5116	4236	msedge.exe	152
PID 1552 wrote to memory of 1804	1552	edge.exe	240
PID 1552 wrote to memory of 1804	1552	edge.exe	240
PID 1552 wrote to memory of 1804	1552	edge.exe	240
PID 1804 wrote to memory of 944	1804	msedge.exe	131
PID 1804 wrote to memory of 944	1804	msedge.exe	131
PID 1804 wrote to memory of 944	1804	msedge.exe	131
PID 1552 wrote to memory of 4408	1552	edge.exe	134
PID 1552 wrote to memory of 4408	1552	edge.exe	134
PID 1552 wrote to memory of 4408	1552	edge.exe	134
PID 4408 wrote to memory of 3608	4408	msedge.exe	135
PID 4408 wrote to memory of 3608	4408	msedge.exe	135
PID 4408 wrote to memory of 3608	4408	msedge.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe
"C:\Users\Admin\AppData\Local\Temp\0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2924
- C:\Windows\System32\edge.exe
  "C:\Windows\System32\edge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:5080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 852
        5⤵
        Program crash
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 840
        5⤵
        Program crash
        
        PID:1652
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:4156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 840
        5⤵
        Program crash
        
        PID:4064
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:4992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 768
        5⤵
        Program crash
        
        PID:3628
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:4440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 840
        5⤵
        Program crash
        
        PID:1420
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 840
        5⤵
        Program crash
        
        PID:3624
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 836
        5⤵
        Program crash
        
        PID:4140
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 840
        5⤵
        Program crash
        
        PID:1060
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 840
        5⤵
        Program crash
        
        PID:1172
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:3608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 840
        5⤵
        Program crash
        
        PID:4456
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 840
        5⤵
        Program crash
        
        PID:4372
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 840
        5⤵
        Program crash
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 840
        5⤵
        Program crash
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 840
        5⤵
        Program crash
        
        PID:3492
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 852
        5⤵
        Program crash
        
        PID:3460
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 840
        5⤵
        Program crash
        
        PID:3336
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:4884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 840
        5⤵
        Program crash
        
        PID:4836
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 840
        5⤵
        Program crash
        
        PID:4612
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:3548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 840
        5⤵
        Program crash
        
        PID:4460
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 840
        5⤵
        Program crash
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 840
        5⤵
        Program crash
        
        PID:3744
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 844
        5⤵
        Program crash
        
        PID:1168
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:3984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 856
        5⤵
        Program crash
        
        PID:5084
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 848
        5⤵
        Program crash
        
        PID:2880
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:5032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 840
        5⤵
        Program crash
        
        PID:424
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:3808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 840
        5⤵
        Program crash
        
        PID:2920
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:3684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 840
        5⤵
        Program crash
        
        PID:4648
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:4156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 840
        5⤵
        Program crash
        
        PID:4456
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 840
        5⤵
        Program crash
        
        PID:2188
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      Executes dropped EXE
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 840
        5⤵
        Program crash
        
        PID:1432
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 840
        5⤵
        Program crash
        
        PID:3488
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 840
        5⤵
        Program crash
        
        PID:1468
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 840
        5⤵
        Program crash
        
        PID:3392
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 840
        5⤵
        Program crash
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 840
        5⤵
        Program crash
        
        PID:2308
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 840
        5⤵
        Program crash
        
        PID:2876
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 840
        5⤵
        Program crash
        
        PID:4632
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 840
        5⤵
        Program crash
        
        PID:3904
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 840
        5⤵
        Program crash
        
        PID:4312
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 840
        5⤵
        Program crash
        
        PID:5096
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 840
        5⤵
        Program crash
        
        PID:5100
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 840
        5⤵
        Program crash
        
        PID:4268
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 840
        5⤵
        Program crash
        
        PID:3064
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 840
        5⤵
        Program crash
        
        PID:4196
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 840
        5⤵
        Program crash
        
        PID:2292
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 840
        5⤵
        Program crash
        
        PID:4896
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 840
        5⤵
        Program crash
        
        PID:4916
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 840
        5⤵
        Program crash
        
        PID:4920
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 840
        5⤵
        Program crash
        
        PID:3684
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 840
        5⤵
        Program crash
        
        PID:1152
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 840
        5⤵
        Program crash
        
        PID:3984
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 840
        5⤵
        Program crash
        
        PID:4716
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 840
        5⤵
        Program crash
        
        PID:3304
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 840
        5⤵
        Program crash
        
        PID:1192
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 840
        5⤵
        Program crash
        
        PID:2172
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 840
        5⤵
        Program crash
        
        PID:3936
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 840
        5⤵
        Program crash
        
        PID:2308
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 840
        5⤵
        Program crash
        
        PID:4468
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 840
        5⤵
        Program crash
        
        PID:4836
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 840
        5⤵
        Program crash
        
        PID:4140
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 840
        5⤵
        Program crash
        
        PID:2656
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 840
        5⤵
        Program crash
        
        PID:2128
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 840
        5⤵
        Program crash
        
        PID:2284
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 840
        5⤵
        Program crash
        
        PID:2888
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 840
        5⤵
        
        PID:1616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 840
        5⤵
        
        PID:1296
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 840
        5⤵
        
        PID:4836
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 840
        5⤵
        
        PID:4292
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 840
        5⤵
        
        PID:3304
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 840
        5⤵
        
        PID:3364
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 840
        5⤵
        
        PID:968
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 840
        5⤵
        
        PID:1152
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 840
        5⤵
        
        PID:1432
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 840
        5⤵
        
        PID:3772
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 840
        5⤵
        
        PID:532
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 840
        5⤵
        
        PID:4896
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 840
        5⤵
        
        PID:3392
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 840
        5⤵
        
        PID:4252
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 840
        5⤵
        
        PID:1196
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 840
        5⤵
        
        PID:2396
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 840
        5⤵
        
        PID:4372
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 840
        5⤵
        
        PID:452
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 840
        5⤵
        
        PID:928
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 840
        5⤵
        
        PID:4884
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 840
        5⤵
        
        PID:3364
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 840
        5⤵
        
        PID:3380
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 840
        5⤵
        
        PID:4468
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 840
        5⤵
        
        PID:4148
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 840
        5⤵
        
        PID:4440
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 840
        5⤵
        
        PID:4444
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 840
        5⤵
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 840
        5⤵
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 840
        5⤵
        
        PID:2572
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 840
        5⤵
        
        PID:4392
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 840
        5⤵
        
        PID:1172
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 840
        5⤵
        
        PID:2988
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 840
        5⤵
        
        PID:4152
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 840
        5⤵
        
        PID:372
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 840
        5⤵
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 840
        5⤵
        
        PID:1164
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 844
        5⤵
        
        PID:1080
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 840
        5⤵
        
        PID:1072
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 840
        5⤵
        
        PID:5032
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 840
        5⤵
        
        PID:3052
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 848
        5⤵
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 840
        5⤵
        
        PID:3904
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 840
        5⤵
        
        PID:4464
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 840
        5⤵
        
        PID:2472
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 840
        5⤵
        
        PID:3964
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 840
        5⤵
        
        PID:1480
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 852
        5⤵
        
        PID:4468
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 840
        5⤵
        
        PID:2292
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 840
        5⤵
        
        PID:3116
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 840
        5⤵
        
        PID:4836
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 840
        5⤵
        
        PID:3428
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 840
        5⤵
        
        PID:2188
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 840
        5⤵
        
        PID:4816
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 840
        5⤵
        
        PID:4428
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 840
        5⤵
        
        PID:1072
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 840
        5⤵
        
        PID:4016
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 840
        5⤵
        
        PID:4148
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 840
        5⤵
        
        PID:2924
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 840
        5⤵
        
        PID:3488
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 840
        5⤵
        
        PID:4500
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 840
        5⤵
        
        PID:2096
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 840
        5⤵
        
        PID:1468
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 840
        5⤵
        
        PID:4620
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 840
        5⤵
        
        PID:620
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840
        5⤵
        
        PID:3252
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 840
        5⤵
        
        PID:4992
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 840
        5⤵
        
        PID:2328
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 840
        5⤵
        
        PID:5080
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 840
        5⤵
        
        PID:1060
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 840
        5⤵
        
        PID:4084
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 840
        5⤵
        
        PID:956
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 840
        5⤵
        
        PID:4552
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 840
        5⤵
        
        PID:4820
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 840
        5⤵
        
        PID:4140
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 840
        5⤵
        
        PID:1520
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 840
        5⤵
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 840
        5⤵
        
        PID:2568
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 840
        5⤵
        
        PID:2388
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 840
        5⤵
        
        PID:1616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 840
        5⤵
        
        PID:2356
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 840
        5⤵
        
        PID:1420
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 840
        5⤵
        
        PID:2080
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 840
        5⤵
        
        PID:1160
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 840
        5⤵
        
        PID:4284
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 840
        5⤵
        
        PID:4608
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 840
        5⤵
        
        PID:1896
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 840
        5⤵
        
        PID:4632
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 840
        5⤵
        
        PID:2128
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 840
        5⤵
        
        PID:1020
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 840
        5⤵
        
        PID:368
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 840
        5⤵
        
        PID:4556
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 840
        5⤵
        
        PID:2664
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 840
        5⤵
        
        PID:4148
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 840
        5⤵
        
        PID:3988
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 840
        5⤵
        
        PID:372
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 840
        5⤵
        
        PID:4072
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 840
        5⤵
        
        PID:2364
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 840
        5⤵
        
        PID:4648
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 840
        5⤵
        
        PID:4380
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 840
        5⤵
        
        PID:4968
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 840
        5⤵
        
        PID:3252
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 840
        5⤵
        
        PID:4568
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 840
        5⤵
        
        PID:2704
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 840
        5⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 840
        5⤵
        
        PID:3960
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 840
        5⤵
        
        PID:1060
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 840
        5⤵
        
        PID:3616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 840
        5⤵
        
        PID:464
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 840
        5⤵
        
        PID:3984
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 840
        5⤵
        
        PID:636
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 840
        5⤵
        
        PID:2320
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 840
        5⤵
        
        PID:220
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 840
        5⤵
        
        PID:1160
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 840
        5⤵
        
        PID:3196
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 840
        5⤵
        
        PID:2328
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 840
        5⤵
        
        PID:4452
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 840
        5⤵
        
        PID:3132
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 840
        5⤵
        
        PID:1880
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 840
        5⤵
        
        PID:1696
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 840
        5⤵
        
        PID:3908
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 840
        5⤵
        
        PID:1300
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 840
        5⤵
        
        PID:1364
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 840
        5⤵
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 840
        5⤵
        
        PID:4304
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 840
        5⤵
        
        PID:4312
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 840
        5⤵
        
        PID:424
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 840
        5⤵
        
        PID:1268
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 840
        5⤵
        
        PID:3672
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 840
        5⤵
        
        PID:2028
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 840
        5⤵
        
        PID:3304
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 840
        5⤵
        
        PID:4768
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 840
        5⤵
        
        PID:2460
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 840
        5⤵
        
        PID:1432
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 840
        5⤵
        
        PID:1168
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 840
        5⤵
        
        PID:5080
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 840
        5⤵
        
        PID:748
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 848
        5⤵
        
        PID:4656
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 840
        5⤵
        
        PID:2892
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 840
        5⤵
        
        PID:2816
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 840
        5⤵
        
        PID:2640
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 840
        5⤵
        
        PID:4252
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 840
        5⤵
        
        PID:1508
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 840
        5⤵
        
        PID:620
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 840
        5⤵
        
        PID:3988
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 840
        5⤵
        
        PID:4512
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 840
        5⤵
        
        PID:1708
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 840
        5⤵
        
        PID:4620
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 840
        5⤵
        
        PID:2088
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 840
        5⤵
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 840
        5⤵
        
        PID:1300
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 840
        5⤵
        
        PID:4024
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 840
        5⤵
        
        PID:3316
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 840
        5⤵
        
        PID:1736
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 840
        5⤵
        
        PID:4316
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 840
        5⤵
        
        PID:2820
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 840
        5⤵
        
        PID:2388
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 840
        5⤵
        
        PID:3716
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 840
        5⤵
        
        PID:3932
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 840
        5⤵
        
        PID:4084
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 840
        5⤵
        
        PID:3164
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 840
        5⤵
        
        PID:3512
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 840
        5⤵
        
        PID:5080
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 840
        5⤵
        
        PID:4152
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 840
        5⤵
        
        PID:1108
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 840
        5⤵
        
        PID:2340
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 840
        5⤵
        
        PID:2816
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 840
        5⤵
        
        PID:1616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 840
        5⤵
        
        PID:4632
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 840
        5⤵
        
        PID:2096
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 840
        5⤵
        
        PID:4612
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 840
        5⤵
        
        PID:1784
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 840
        5⤵
        
        PID:372
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 840
        5⤵
        
        PID:4640
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 840
        5⤵
        
        PID:3628
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 840
        5⤵
        
        PID:3196
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 840
        5⤵
        
        PID:4616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 840
        5⤵
        
        PID:3392
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 840
        5⤵
        
        PID:4496
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 840
        5⤵
        
        PID:3948
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 840
        5⤵
        
        PID:3208
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 840
        5⤵
        
        PID:1360
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 840
        5⤵
        
        PID:2144
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 840
        5⤵
        
        PID:1896
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 840
        5⤵
        
        PID:1652
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 840
        5⤵
        
        PID:4780
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 840
        5⤵
        
        PID:2616
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 840
        5⤵
        
        PID:2960
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 840
        5⤵
        
        PID:1648
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    - Checks computer location settings
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 840
        5⤵
        
        PID:4916
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 840
        5⤵
        
        PID:3576
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /launchSelfAndExit "C:\Windows\System32\edge.exe" 1552 /protectFile
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe" /watchProcess "C:\Windows\System32\edge.exe" 1552 "/protectFile"
      4⤵
      PID:4032

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\edge.exe
C:\Windows\System32\edge.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2088 -ip 2088
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4156 -ip 4156
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4992 -ip 4992
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4440 -ip 4440
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2880 -ip 2880
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2660 -ip 2660
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5116 -ip 5116
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 944 -ip 944
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3608 -ip 3608
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1164 -ip 1164
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2704 -ip 2704
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1932 -ip 1932
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5116 -ip 5116
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 212 -ip 212
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2700 -ip 2700
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4884 -ip 4884
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1200 -ip 1200
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3548 -ip 3548
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1472 -ip 1472
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2888 -ip 2888
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1616 -ip 1616
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3984 -ip 3984
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1164 -ip 1164
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5032 -ip 5032
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3808 -ip 3808
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3684 -ip 3684
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4156 -ip 4156
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2876 -ip 2876
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1896 -ip 1896
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3904 -ip 3904
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1004 -ip 1004
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2640 -ip 2640
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1472 -ip 1472
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2888 -ip 2888
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 384 -ip 384
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 372 -ip 372
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4452 -ip 4452
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4552 -ip 4552
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 396 -ip 396
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 968 -ip 968
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 368 -ip 368
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4568 -ip 4568
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3948 -ip 3948
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4412 -ip 4412
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 620 -ip 620
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1904 -ip 1904
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3736 -ip 3736
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5080 -ip 5080
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2988 -ip 2988
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4568 -ip 4568
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4816 -ip 4816
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 928 -ip 928
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4052 -ip 4052
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 2692 -ip 2692
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3988 -ip 3988
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1172 -ip 1172
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 4580 -ip 4580
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 5084 -ip 5084
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 2924 -ip 2924
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 3304 -ip 3304
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 2280 -ip 2280
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 2088 -ip 2088
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 2040 -ip 2040
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3748 -ip 3748
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5032 -ip 5032
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2568 -ip 2568
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 536 -ip 536
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 2648 -ip 2648
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 3052 -ip 3052
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4152 -ip 4152
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 2040 -ip 2040
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2120 -ip 2120
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 384 -ip 384
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3916 -ip 3916
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 424 -ip 424
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1904 -ip 1904
1⤵
PID:4464

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv XzaJACwUOki/0wmweMQLUQ.0.2
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1488 -ip 1488
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5076 -ip 5076
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 624 -ip 624
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4376 -ip 4376
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2568 -ip 2568
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4296 -ip 4296
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4356 -ip 4356
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4204 -ip 4204
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2372 -ip 2372
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2040 -ip 2040
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 4848
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4992 -ip 4992
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4084 -ip 4084
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3708 -ip 3708
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4776 -ip 4776
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4428 -ip 4428
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3156 -ip 3156
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1152 -ip 1152
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4920 -ip 4920
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3608 -ip 3608
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2200 -ip 2200
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1896 -ip 1896
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5016 -ip 5016
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3948 -ip 3948
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3444 -ip 3444
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1260 -ip 1260
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1152 -ip 1152
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3772 -ip 3772
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2916 -ip 2916
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1468 -ip 1468
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3736 -ip 3736
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3160 -ip 3160
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2572 -ip 2572
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2372 -ip 2372
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1432 -ip 1432
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3860 -ip 3860
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2844 -ip 2844
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1784 -ip 1784
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2536 -ip 2536
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 876 -ip 876
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1932 -ip 1932
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1480 -ip 1480
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 872 -ip 872
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4916 -ip 4916
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1880 -ip 1880
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4720 -ip 4720
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4356 -ip 4356
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1616 -ip 1616
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2280 -ip 2280
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5116 -ip 5116
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3788 -ip 3788
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4600 -ip 4600
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4348 -ip 4348
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2916 -ip 2916
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1080 -ip 1080
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4316 -ip 4316
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4240 -ip 4240
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4772 -ip 4772
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3716 -ip 3716
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 220 -ip 220
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3688 -ip 3688
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2652 -ip 2652
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4292 -ip 4292
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1488 -ip 1488
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4356 -ip 4356
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1076 -ip 1076
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4772 -ip 4772
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3716 -ip 3716
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2796 -ip 2796
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4712 -ip 4712
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2280 -ip 2280
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 372 -ip 372
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4292 -ip 4292
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3492 -ip 3492
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4768 -ip 4768
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4816 -ip 4816
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1300 -ip 1300
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 624 -ip 624
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2080 -ip 2080
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 384 -ip 384
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1152 -ip 1152
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4656 -ip 4656
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1940 -ip 1940
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4884 -ip 4884
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 532 -ip 532
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 876 -ip 876
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2208 -ip 2208
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 408 -ip 408
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1264 -ip 1264
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3512 -ip 3512
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1396 -ip 1396
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4668 -ip 4668
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2820 -ip 2820
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3108 -ip 3108
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4976 -ip 4976
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4792 -ip 4792
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4592 -ip 4592
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4772 -ip 4772
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1156 -ip 1156
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2664 -ip 2664
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1520 -ip 1520
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1564 -ip 1564
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4460 -ip 4460
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1060 -ip 1060
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4124 -ip 4124
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4808 -ip 4808
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4356 -ip 4356
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3924 -ip 3924
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3788 -ip 3788
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 924 -ip 924
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3316 -ip 3316
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2472 -ip 2472
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1604 -ip 1604
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 712 -ip 712
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4884 -ip 4884
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 464 -ip 464
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2372 -ip 2372
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4916 -ip 4916
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3716 -ip 3716
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3624 -ip 3624
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4032 -ip 4032
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4444 -ip 4444
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1564 -ip 1564
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1336 -ip 1336
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 312 -ip 312
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 464 -ip 464
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 532 -ip 532
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3808 -ip 3808
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1420 -ip 1420
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1736 -ip 1736
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3800 -ip 3800
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1564 -ip 1564
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 2424
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4496 -ip 4496
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4976 -ip 4976
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3380 -ip 3380
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2080 -ip 2080
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5032 -ip 5032
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2692 -ip 2692
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3112 -ip 3112
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 452 -ip 452
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1656 -ip 1656
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 3956
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4632 -ip 4632
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1196 -ip 1196
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 872 -ip 872
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3392 -ip 3392
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1156 -ip 1156
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1904 -ip 1904
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1008 -ip 1008
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4968 -ip 4968
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3500 -ip 3500
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 4460
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4660 -ip 4660
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4268 -ip 4268
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1168 -ip 1168
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2200 -ip 2200
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4452 -ip 4452
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1252 -ip 1252
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1472 -ip 1472
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4344 -ip 4344
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4624 -ip 4624
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4460 -ip 4460
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4548 -ip 4548
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3868 -ip 3868
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1508 -ip 1508
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4568 -ip 4568
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4580 -ip 4580
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3524 -ip 3524
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4412 -ip 4412
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2028 -ip 2028
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3488 -ip 3488
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4908 -ip 4908
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4976 -ip 4976
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4124 -ip 4124
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msedge.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
9KB

MD5
8ace06702ec59d170ca2b31f95812e0f

SHA1
de36712adf9b67d0b4c99d12eb59361adfc5473f

SHA256
f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45

SHA512
5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe.config

Filesize
159B

MD5
740dde6369b1c855ea2f8e171fa888c8

SHA1
db3f1c7e5e4c087cf9eb02376fd750f1879f28f8

SHA256
e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae

SHA512
114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
a80be96476032d2eaa901d180fe9fb73

SHA1
f378d0bc5fefb9ea0b5006f020091ffcbcd7acec

SHA256
d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42

SHA512
210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\System32\edge.exe

Filesize
3.0MB

MD5
56c65d591a8774932454d819af7d199b

SHA1
6368acc0182b686bfef8f4d8c63d84c1ad191235

SHA256
0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc

SHA512
cd584661f78601979267120e3f702beff8259947886f11045695de48a1c3c7731d131d6f800a1193f10783a65d596cb279b970ada242833bbeb1917949444a0a

Download Submit
memory/1552-48-0x000001F42F860000-0x000001F42F8B8000-memory.dmp

Filesize
352KB

Download
memory/1552-51-0x000001F42F930000-0x000001F42F940000-memory.dmp

Filesize
64KB

Download
memory/1552-50-0x000001F42F910000-0x000001F42F928000-memory.dmp

Filesize
96KB

Download
memory/1552-47-0x000001F42E0A0000-0x000001F42E0B2000-memory.dmp

Filesize
72KB

Download
memory/1840-65-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2376-29-0x000001A47D4B0000-0x000001A47D5BA000-memory.dmp

Filesize
1.0MB

Download
memory/2924-21-0x000001603BE60000-0x000001603BE72000-memory.dmp

Filesize
72KB

Download
memory/2924-27-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2924-23-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2924-19-0x000001603BA70000-0x000001603BA7C000-memory.dmp

Filesize
48KB

Download
memory/2924-22-0x0000016055E80000-0x0000016055EBC000-memory.dmp

Filesize
240KB

Download
memory/2924-20-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-4-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-46-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-0-0x00007FF95A033000-0x00007FF95A035000-memory.dmp

Filesize
8KB

Download
memory/4052-3-0x00000144793D0000-0x00000144793DE000-memory.dmp

Filesize
56KB

Download
memory/4052-2-0x000001447B3D0000-0x000001447B42C000-memory.dmp

Filesize
368KB

Download
memory/4052-5-0x000001447B3B0000-0x000001447B3C2000-memory.dmp

Filesize
72KB

Download
memory/4052-1-0x0000014478D20000-0x000001447902E000-memory.dmp

Filesize
3.1MB

Download