fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

max time kernel
534s
max time network
535s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 11:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=cvmnqwsvya

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\guard-pmjw.exe"

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Blocklisted process makes network request 1 IoCs

Processes:

flow pid process

264 6852

flow	pid	process
264	6852

Sets file execution options in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "svchost.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\Debugger = "svchost.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "svchost.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "svchost.exe"

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation

Executes dropped EXE 6 IoCs

Processes:

[email protected][email protected]program2.exe

pid process

5680 [email protected]
1500 [email protected]
6976 program2.exe
772
2104
3708
Loads dropped DLL 3 IoCs

Processes:

pid process

2104
2104
2104
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

138 raw.githubusercontent.com
139 raw.githubusercontent.com
127 camo.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

262 checkip.dyndns.org

pid	process
5680	[email protected]
1500	[email protected]
6976	program2.exe
772
2104
3708

pid	process
2104
2104
2104

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

flow	ioc
138	raw.githubusercontent.com
139	raw.githubusercontent.com
127	camo.githubusercontent.com

flow	ioc
262	checkip.dyndns.org

Drops file in System32 directory 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\services.msc
File opened for modification	C:\Windows\SysWOW64\eventvwr.msc
File opened for modification	C:\Windows\SysWOW64\diskmgmt.msc

Drops file in Program Files directory 10 IoCs

Processes:

description	ioc	process
File created	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
File created	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
File created	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
File opened for modification	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
File opened for modification	C:\Program Files (x86)\antiviruspc2009
File created	C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_241069421
File opened for modification	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
File created	C:\Program Files (x86)\antiviruspc2009\bzip2.dll
File opened for modification	C:\Program Files (x86)\antiviruspc2009\bzip2.dll
File opened for modification	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

800 3160 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
800	3160	WerFault.exe	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 26 IoCs

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{E6CAA8CC-2A31-4FD9-BFA4-6C32406507B9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	245	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	246	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	247	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2408	msedge.exe
2408	msedge.exe
880	msedge.exe
880	msedge.exe
3296	identity_helper.exe
3296	identity_helper.exe
3976	msedge.exe
3976	msedge.exe
5456	msedge.exe
5456	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4000	msedge.exe
4000	msedge.exe
6204
6204
6484
6484
6272
6272
6444
6444
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708
3708

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

[email protected]

pid process

1500 [email protected]

pid	process
1500	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

Processes:

msedge.exe

pid	process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7zG.exeAUDIODG.EXE7zG.exe

description	pid	process
Token: SeRestorePrivilege	2076	7zG.exe
Token: 35	2076	7zG.exe
Token: SeSecurityPrivilege	2076	7zG.exe
Token: SeSecurityPrivilege	2076	7zG.exe
Token: 33	2732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2732	AUDIODG.EXE
Token: SeRestorePrivilege	3932	7zG.exe
Token: 35	3932	7zG.exe
Token: SeSecurityPrivilege	3932	7zG.exe
Token: SeSecurityPrivilege	3932	7zG.exe
Token: SeRestorePrivilege	5132
Token: 35	5132
Token: SeSecurityPrivilege	5132
Token: SeSecurityPrivilege	5132
Token: SeDebugPrivilege	3708
Token: SeShutdownPrivilege	3708

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exe7zG.exe

pid	process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
2076	7zG.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
3932	7zG.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
2104
3708

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

pid process

2104
2104
6724
3708
3708
6500
836

pid	process
2104
2104
6724
3708
3708
6500
836

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemsedge.exe

description	pid	process	target process
PID 116 wrote to memory of 3160	116	regsvr32.exe	regsvr32.exe
PID 116 wrote to memory of 3160	116	regsvr32.exe	regsvr32.exe
PID 116 wrote to memory of 3160	116	regsvr32.exe	regsvr32.exe
PID 880 wrote to memory of 3352	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3352	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 4636	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 2408	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 2408	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe
PID 880 wrote to memory of 3348	880	msedge.exe	msedge.exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
2⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 604
3⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8ef5c46f8,0x7ff8ef5c4708,0x7ff8ef5c4718
2⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
2⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
2⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
2⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
2⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
2⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
2⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4656 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
2⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1
2⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,8883693572811945788,2020719604124895301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ProgramOverflow\" -ad -an -ai#7zMap2397:92:7zEvent10741
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076

C:\Users\Admin\Downloads\ProgramOverflow\[email protected]
"C:\Users\Admin\Downloads\ProgramOverflow\[email protected]"
1⤵
- Executes dropped EXE
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com/endermanch
2⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff8ef5c46f8,0x7ff8ef5c4708,0x7ff8ef5c4718
3⤵
PID:1164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UserOverflow\" -ad -an -ai#7zMap14472:86:7zEvent4109
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Users\Admin\Downloads\UserOverflow\[email protected]
"C:\Users\Admin\Downloads\UserOverflow\[email protected]"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user1 /add
2⤵
PID:4168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user1 /add
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user2 /add
2⤵
PID:3840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user2 /add
3⤵
PID:1368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user3 /add
2⤵
PID:208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user3 /add
3⤵
PID:916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user4 /add
2⤵
PID:1568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user4 /add
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user5 /add
2⤵
PID:5848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user5 /add
3⤵
PID:2572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user6 /add
2⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user6 /add
3⤵
PID:1812

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user7 /add
2⤵
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user7 /add
3⤵
PID:3772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user8 /add
2⤵
PID:5156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user8 /add
3⤵
PID:4328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user9 /add
2⤵
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user9 /add
3⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user10 /add
2⤵
PID:5588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user10 /add
3⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user11 /add
2⤵
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user11 /add
3⤵
PID:6044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user12 /add
2⤵
PID:5592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user12 /add
3⤵
PID:3476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user13 /add
2⤵
PID:3728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user13 /add
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user14 /add
2⤵
PID:5196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user14 /add
3⤵
PID:3056

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user15 /add
2⤵
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user15 /add
3⤵
PID:5528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user16 /add
2⤵
PID:6116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user16 /add
3⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user17 /add
2⤵
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user17 /add
3⤵
PID:5504

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user18 /add
2⤵
PID:3224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user18 /add
3⤵
PID:3908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user19 /add
2⤵
PID:5160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user19 /add
3⤵
PID:1816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user20 /add
2⤵
PID:3432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user20 /add
3⤵
PID:5884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user21 /add
2⤵
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user21 /add
3⤵
PID:6064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user22 /add
2⤵
PID:676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user22 /add
3⤵
PID:6184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user23 /add
2⤵
PID:5796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user23 /add
3⤵
PID:4660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user24 /add
2⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user24 /add
3⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user25 /add
2⤵
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user25 /add
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user26 /add
2⤵
PID:5908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user26 /add
3⤵
PID:6256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user27 /add
2⤵
PID:3492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user27 /add
3⤵
PID:464

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user28 /add
2⤵
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user28 /add
3⤵
PID:6248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user29 /add
2⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user29 /add
3⤵
PID:6364

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user30 /add
2⤵
PID:3744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user30 /add
3⤵
PID:6324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user31 /add
2⤵
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user31 /add
3⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user32 /add
2⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user32 /add
3⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user33 /add
2⤵
PID:6060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user33 /add
3⤵
PID:6976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user34 /add
2⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user34 /add
3⤵
PID:6948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user35 /add
2⤵
PID:5472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user35 /add
3⤵
PID:7036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user36 /add
2⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user36 /add
3⤵
PID:6568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user37 /add
2⤵
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user37 /add
3⤵
PID:7076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user38 /add
2⤵
PID:1184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user38 /add
3⤵
PID:5856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user39 /add
2⤵
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user39 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user40 /add
2⤵
PID:1568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user40 /add
3⤵
PID:5984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user41 /add
2⤵
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user41 /add
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user42 /add
2⤵
PID:6140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user42 /add
3⤵
PID:7152

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user43 /add
2⤵
PID:6204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user43 /add
3⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user44 /add
2⤵
PID:6280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user44 /add
3⤵
PID:6648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user45 /add
2⤵
PID:6300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user45 /add
3⤵
PID:3196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user46 /add
2⤵
PID:6340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user46 /add
3⤵
PID:2492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user47 /add
2⤵
PID:6412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user47 /add
3⤵
PID:5932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user48 /add
2⤵
PID:6460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user48 /add
3⤵
PID:3716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user49 /add
2⤵
PID:6472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user49 /add
3⤵
PID:6360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user50 /add
2⤵
PID:6552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user50 /add
3⤵
PID:5680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user51 /add
2⤵
PID:6632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user51 /add
3⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user52 /add
2⤵
PID:6708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user52 /add
3⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user53 /add
2⤵
PID:6728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user53 /add
3⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user54 /add
2⤵
PID:6792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user54 /add
3⤵
PID:4196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user55 /add
2⤵
PID:6896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user55 /add
3⤵
PID:5160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user56 /add
2⤵
PID:6912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user56 /add
3⤵
PID:4224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user57 /add
2⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user57 /add
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user58 /add
2⤵
PID:4068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user58 /add
3⤵
PID:6188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user59 /add
2⤵
PID:1672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user59 /add
3⤵
PID:1328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user60 /add
2⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user60 /add
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user61 /add
2⤵
PID:5132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user61 /add
3⤵
PID:6256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user62 /add
2⤵
PID:6484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user62 /add
3⤵
PID:6960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user63 /add
2⤵
PID:4696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user63 /add
3⤵
PID:7036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user64 /add
2⤵
PID:6132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user64 /add
3⤵
PID:5808

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user65 /add
2⤵
PID:5720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user65 /add
3⤵
PID:5644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user66 /add
2⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user66 /add
3⤵
PID:4948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user67 /add
2⤵
PID:4028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user67 /add
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user68 /add
2⤵
PID:6420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user68 /add
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user69 /add
2⤵
PID:5604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user69 /add
3⤵
PID:6904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user70 /add
2⤵
PID:6804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user70 /add
3⤵
PID:3332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user71 /add
2⤵
PID:5920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user71 /add
3⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user72 /add
2⤵
PID:5344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user72 /add
3⤵
PID:7068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user73 /add
2⤵
PID:6888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user73 /add
3⤵
PID:4708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user74 /add
2⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user74 /add
3⤵
PID:1840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user75 /add
2⤵
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user75 /add
3⤵
PID:6176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user76 /add
2⤵
PID:5476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user76 /add
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user77 /add
2⤵
PID:6948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user77 /add
3⤵
PID:7072

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user78 /add
2⤵
PID:2280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user78 /add
3⤵
PID:6676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user79 /add
2⤵
PID:3268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user79 /add
3⤵
PID:6544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user80 /add
2⤵
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user80 /add
3⤵
PID:5672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user81 /add
2⤵
PID:3696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user81 /add
3⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user82 /add
2⤵
PID:5820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user82 /add
3⤵
PID:6832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user83 /add
2⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user83 /add
3⤵
PID:6656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user84 /add
2⤵
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user84 /add
3⤵
PID:6672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user85 /add
2⤵
PID:6216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user85 /add
3⤵
PID:5988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user86 /add
2⤵
PID:7108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user86 /add
3⤵
PID:6680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user87 /add
2⤵
PID:5360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user87 /add
3⤵
PID:4788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user88 /add
2⤵
PID:6336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user88 /add
3⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user89 /add
2⤵
PID:6388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user89 /add
3⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user90 /add
2⤵
PID:6852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user90 /add
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user91 /add
2⤵
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user91 /add
3⤵
PID:5740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user92 /add
2⤵
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user92 /add
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user93 /add
2⤵
PID:6600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user93 /add
3⤵
PID:540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user94 /add
2⤵
PID:6840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user94 /add
3⤵
PID:7128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user95 /add
2⤵
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user95 /add
3⤵
PID:6992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user96 /add
2⤵
PID:6500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user96 /add
3⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user97 /add
2⤵
PID:6796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user97 /add
3⤵
PID:2484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user98 /add
2⤵
PID:6956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user98 /add
3⤵
PID:6348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user99 /add
2⤵
PID:6432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user99 /add
3⤵
PID:6920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user100 /add
2⤵
PID:1328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user100 /add
3⤵
PID:6252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user101 /add
2⤵
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user101 /add
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user102 /add
2⤵
PID:3760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user102 /add
3⤵
PID:5832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user103 /add
2⤵
PID:7084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user103 /add
3⤵
PID:3684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user104 /add
2⤵
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user104 /add
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user105 /add
2⤵
PID:464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user105 /add
3⤵
PID:1988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user106 /add
2⤵
PID:6604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user106 /add
3⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user107 /add
2⤵
PID:5940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user107 /add
3⤵
PID:6192

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user108 /add
2⤵
PID:7036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user108 /add
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user109 /add
2⤵
PID:6400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user109 /add
3⤵
PID:6304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user110 /add
2⤵
PID:4884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user110 /add
3⤵
PID:7020

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user111 /add
2⤵
PID:6320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user111 /add
3⤵
PID:3268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user112 /add
2⤵
PID:6612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user112 /add
3⤵
PID:1944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user113 /add
2⤵
PID:6628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user113 /add
3⤵
PID:5284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user114 /add
2⤵
PID:5728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user114 /add
3⤵
PID:5672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user115 /add
2⤵
PID:7080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user115 /add
3⤵
PID:6740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user116 /add
2⤵
PID:676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user116 /add
3⤵
PID:3516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user117 /add
2⤵
PID:5764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user117 /add
3⤵
PID:5044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user118 /add
2⤵
PID:5848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user118 /add
3⤵
PID:7056

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user119 /add
2⤵
PID:6352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user119 /add
3⤵
PID:6224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user120 /add
2⤵
PID:4516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user120 /add
3⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user121 /add
2⤵
PID:5684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user121 /add
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user122 /add
2⤵
PID:180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user122 /add
3⤵
PID:5324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user123 /add
2⤵
PID:3872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user123 /add
3⤵
PID:6576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user124 /add
2⤵
PID:7012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user124 /add
3⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user125 /add
2⤵
PID:6716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user125 /add
3⤵
PID:6900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user126 /add
2⤵
PID:6632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user126 /add
3⤵
PID:3768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user127 /add
2⤵
PID:6148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user127 /add
3⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user128 /add
2⤵
PID:7100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user128 /add
3⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user129 /add
2⤵
PID:5788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user129 /add
3⤵
PID:7048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user130 /add
2⤵
PID:6852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user130 /add
3⤵
PID:6840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user131 /add
2⤵
PID:5692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user131 /add
3⤵
PID:1176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user132 /add
2⤵
PID:6660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user132 /add
3⤵
PID:220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user133 /add
2⤵
PID:6416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user133 /add
3⤵
PID:6956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user134 /add
2⤵
PID:4136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user134 /add
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user135 /add
2⤵
PID:6348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user135 /add
3⤵
PID:3840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user136 /add
2⤵
PID:5380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user136 /add
3⤵
PID:5816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user137 /add
2⤵
PID:5156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user137 /add
3⤵
PID:6248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user138 /add
2⤵
PID:3272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user138 /add
3⤵
PID:6192

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user139 /add
2⤵
PID:6432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user139 /add
3⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user140 /add
2⤵
PID:6168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user140 /add
3⤵
PID:6752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user141 /add
2⤵
PID:5884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user141 /add
3⤵
PID:1992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user142 /add
2⤵
PID:7104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user142 /add
3⤵
PID:1184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user143 /add
2⤵
PID:6800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user143 /add
3⤵
PID:6304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user144 /add
2⤵
PID:4772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user144 /add
3⤵
PID:732

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user145 /add
2⤵
PID:7044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user145 /add
3⤵
PID:6184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user146 /add
2⤵
PID:5300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user146 /add
3⤵
PID:6544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user147 /add
2⤵
PID:4720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user147 /add
3⤵
PID:564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user148 /add
2⤵
PID:6236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user148 /add
3⤵
PID:4144

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user149 /add
2⤵
PID:6440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user149 /add
3⤵
PID:368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user150 /add
2⤵
PID:6760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user150 /add
3⤵
PID:5928

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user151 /add
2⤵
PID:7080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user151 /add
3⤵
PID:6224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user152 /add
2⤵
PID:6748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user152 /add
3⤵
PID:6536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user153 /add
2⤵
PID:5724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user153 /add
3⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user154 /add
2⤵
PID:1820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user154 /add
3⤵
PID:6656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user155 /add
2⤵
PID:6644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user155 /add
3⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user156 /add
2⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user156 /add
3⤵
PID:6296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user157 /add
2⤵
PID:2184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user157 /add
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user158 /add
2⤵
PID:4088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user158 /add
3⤵
PID:6476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user159 /add
2⤵
PID:1360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user159 /add
3⤵
PID:5820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user160 /add
2⤵
PID:6472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user160 /add
3⤵
PID:6780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user161 /add
2⤵
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user161 /add
3⤵
PID:6784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user162 /add
2⤵
PID:7012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user162 /add
3⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user163 /add
2⤵
PID:6392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user163 /add
3⤵
PID:7108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user164 /add
2⤵
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user164 /add
3⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user165 /add
2⤵
PID:6116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user165 /add
3⤵
PID:3568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user166 /add
2⤵
PID:7128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user166 /add
3⤵
PID:6260

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user167 /add
2⤵
PID:7116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user167 /add
3⤵
PID:6924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user168 /add
2⤵
PID:7024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user168 /add
3⤵
PID:6876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user169 /add
2⤵
PID:6668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user169 /add
3⤵
PID:6696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user170 /add
2⤵
PID:6336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user170 /add
3⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user171 /add
2⤵
PID:6500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user171 /add
3⤵
PID:6684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user172 /add
2⤵
PID:6956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user172 /add
3⤵
PID:6340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user173 /add
2⤵
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user173 /add
3⤵
PID:6796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user174 /add
2⤵
PID:6428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user174 /add
3⤵
PID:5952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user175 /add
2⤵
PID:776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user175 /add
3⤵
PID:4780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user176 /add
2⤵
PID:3244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user176 /add
3⤵
PID:5284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user177 /add
2⤵
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user177 /add
3⤵
PID:1596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user178 /add
2⤵
PID:5808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user178 /add
3⤵
PID:4720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user179 /add
2⤵
PID:7008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user179 /add
3⤵
PID:6372

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user180 /add
2⤵
PID:7164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user180 /add
3⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user181 /add
2⤵
PID:4064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user181 /add
3⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user182 /add
2⤵
PID:6188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user182 /add
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user183 /add
2⤵
PID:6184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user183 /add
3⤵
PID:6804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user184 /add
2⤵
PID:6544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user184 /add
3⤵
PID:7156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user185 /add
2⤵
PID:6244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user185 /add
3⤵
PID:2792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user186 /add
2⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user186 /add
3⤵
PID:4516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user187 /add
2⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user187 /add
3⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user188 /add
2⤵
PID:5420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user188 /add
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user189 /add
2⤵
PID:4000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user189 /add
3⤵
PID:4224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user190 /add
2⤵
PID:7068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user190 /add
3⤵
PID:3384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user191 /add
2⤵
PID:6152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user191 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user192 /add
2⤵
PID:5636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user192 /add
3⤵
PID:5472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user193 /add
2⤵
PID:5672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user193 /add
3⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user194 /add
2⤵
PID:1600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user194 /add
3⤵
PID:5372

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user195 /add
2⤵
PID:6936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user195 /add
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user196 /add
2⤵
PID:5660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user196 /add
3⤵
PID:6328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user197 /add
2⤵
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user197 /add
3⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user198 /add
2⤵
PID:6460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user198 /add
3⤵
PID:6944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user199 /add
2⤵
PID:7056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user199 /add
3⤵
PID:6264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user200 /add
2⤵
PID:5360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user200 /add
3⤵
PID:6852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user201 /add
2⤵
PID:7148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user201 /add
3⤵
PID:6920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user202 /add
2⤵
PID:6532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user202 /add
3⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user203 /add
2⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user203 /add
3⤵
PID:3840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user204 /add
2⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user204 /add
3⤵
PID:4076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user205 /add
2⤵
PID:6424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user205 /add
3⤵
PID:6836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user206 /add
2⤵
PID:6900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user206 /add
3⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user207 /add
2⤵
PID:6408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user207 /add
3⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user208 /add
2⤵
PID:6624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user208 /add
3⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user209 /add
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user209 /add
3⤵
PID:6964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user210 /add
2⤵
PID:6172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user210 /add
3⤵
PID:2016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user211 /add
2⤵
PID:4028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user211 /add
3⤵
PID:4992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user212 /add
2⤵
PID:6752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user212 /add
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user213 /add
2⤵
PID:6348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user213 /add
3⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user214 /add
2⤵
PID:6496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user214 /add
3⤵
PID:564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user215 /add
2⤵
PID:5908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user215 /add
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user216 /add
2⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user216 /add
3⤵
PID:6548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user217 /add
2⤵
PID:6824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user217 /add
3⤵
PID:6856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user218 /add
2⤵
PID:5536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user218 /add
3⤵
PID:5860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user219 /add
2⤵
PID:3432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user219 /add
3⤵
PID:180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user220 /add
2⤵
PID:1384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user220 /add
3⤵
PID:6060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user221 /add
2⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user221 /add
3⤵
PID:4192

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user222 /add
2⤵
PID:6256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user222 /add
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user223 /add
2⤵
PID:6248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user223 /add
3⤵
PID:8

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user224 /add
2⤵
PID:6772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user224 /add
3⤵
PID:2024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user225 /add
2⤵
PID:1536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user225 /add
3⤵
PID:4360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user226 /add
2⤵
PID:4148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user226 /add
3⤵
PID:60

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user227 /add
2⤵
PID:6612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user227 /add
3⤵
PID:6316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user228 /add
2⤵
PID:6244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user228 /add
3⤵
PID:5512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user229 /add
2⤵
PID:6388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user229 /add
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user230 /add
2⤵
PID:7124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user230 /add
3⤵
PID:4196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user231 /add
2⤵
PID:6164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user231 /add
3⤵
PID:5392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user232 /add
2⤵
PID:6764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user232 /add
3⤵
PID:6716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user233 /add
2⤵
PID:6472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user233 /add
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user234 /add
2⤵
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user234 /add
3⤵
PID:7128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user235 /add
2⤵
PID:6308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user235 /add
3⤵
PID:4520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user236 /add
2⤵
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user236 /add
3⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user237 /add
2⤵
PID:6632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user237 /add
3⤵
PID:2108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user238 /add
2⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user238 /add
3⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user239 /add
2⤵
PID:6660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user239 /add
3⤵
PID:6744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user240 /add
2⤵
PID:6696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user240 /add
3⤵
PID:6380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user241 /add
2⤵
PID:5632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user241 /add
3⤵
PID:5796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user242 /add
2⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user242 /add
3⤵
PID:6604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user243 /add
2⤵
PID:5692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user243 /add
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user244 /add
2⤵
PID:3840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user244 /add
3⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user245 /add
2⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user245 /add
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user246 /add
2⤵
PID:6140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user246 /add
3⤵
PID:6432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user247 /add
2⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user247 /add
3⤵
PID:6200

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user248 /add
2⤵
PID:1568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user248 /add
3⤵
PID:4028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user249 /add
2⤵
PID:5220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user249 /add
3⤵
PID:4328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user250 /add
2⤵
PID:7152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user250 /add
3⤵
PID:5952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user251 /add
2⤵
PID:6624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user251 /add
3⤵
PID:6820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user252 /add
2⤵
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user252 /add
3⤵
PID:2548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user253 /add
2⤵
PID:7004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user253 /add
3⤵
PID:180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user254 /add
2⤵
PID:6908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user254 /add
3⤵
PID:2596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user255 /add
2⤵
PID:5996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user255 /add
3⤵
PID:3268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user256 /add
2⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user256 /add
3⤵
PID:3496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user257 /add
2⤵
PID:6780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user257 /add
3⤵
PID:7120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user258 /add
2⤵
PID:6940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user258 /add
3⤵
PID:5168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user259 /add
2⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user259 /add
3⤵
PID:3132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user260 /add
2⤵
PID:6596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user260 /add
3⤵
PID:5460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user261 /add
2⤵
PID:6592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user261 /add
3⤵
PID:4088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user262 /add
2⤵
PID:8

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user262 /add
3⤵
PID:7108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user263 /add
2⤵
PID:6284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user263 /add
3⤵
PID:3340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user264 /add
2⤵
PID:1184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user264 /add
3⤵
PID:5648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user265 /add
2⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user265 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user266 /add
2⤵
PID:6248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user266 /add
3⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user267 /add
2⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user267 /add
3⤵
PID:6944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user268 /add
2⤵
PID:6276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user268 /add
3⤵
PID:4520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user269 /add
2⤵
PID:6612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user269 /add
3⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user270 /add
2⤵
PID:2556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user270 /add
3⤵
PID:416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user271 /add
2⤵
PID:5684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user271 /add
3⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user272 /add
2⤵
PID:6552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user272 /add
3⤵
PID:6540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user273 /add
2⤵
PID:5612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user273 /add
3⤵
PID:4784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user274 /add
2⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user274 /add
3⤵
PID:7148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user275 /add
2⤵
PID:6224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user275 /add
3⤵
PID:5876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user276 /add
2⤵
PID:6556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user276 /add
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user277 /add
2⤵
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user277 /add
3⤵
PID:5700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user278 /add
2⤵
PID:6732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user278 /add
3⤵
PID:7064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user279 /add
2⤵
PID:3696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user279 /add
3⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user280 /add
2⤵
PID:6676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user280 /add
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user281 /add
2⤵
PID:4004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user281 /add
3⤵
PID:3948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user282 /add
2⤵
PID:2688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user282 /add
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user283 /add
2⤵
PID:6640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user283 /add
3⤵
PID:5940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user284 /add
2⤵
PID:6616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user284 /add
3⤵
PID:6140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user285 /add
2⤵
PID:5720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user285 /add
3⤵
PID:6204

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user286 /add
2⤵
PID:5448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user286 /add
3⤵
PID:6304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user287 /add
2⤵
PID:6088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user287 /add
3⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user288 /add
2⤵
PID:6400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user288 /add
3⤵
PID:6564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user289 /add
2⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user289 /add
3⤵
PID:7140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user290 /add
2⤵
PID:4908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user290 /add
3⤵
PID:6060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user291 /add
2⤵
PID:6184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user291 /add
3⤵
PID:1680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user292 /add
2⤵
PID:5444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user292 /add
3⤵
PID:6176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user293 /add
2⤵
PID:6708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user293 /add
3⤵
PID:5512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user294 /add
2⤵
PID:5932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user294 /add
3⤵
PID:4208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user295 /add
2⤵
PID:6244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user295 /add
3⤵
PID:5168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user296 /add
2⤵
PID:6904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user296 /add
3⤵
PID:4360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user297 /add
2⤵
PID:6152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user297 /add
3⤵
PID:4708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user298 /add
2⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user298 /add
3⤵
PID:2824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user299 /add
2⤵
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user299 /add
3⤵
PID:6596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user300 /add
2⤵
PID:1184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user300 /add
3⤵
PID:6876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user301 /add
2⤵
PID:5624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user301 /add
3⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user302 /add
2⤵
PID:6296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user302 /add
3⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user303 /add
2⤵
PID:6996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user303 /add
3⤵
PID:6540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user304 /add
2⤵
PID:6356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user304 /add
3⤵
PID:7016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user305 /add
2⤵
PID:7052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user305 /add
3⤵
PID:6716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user306 /add
2⤵
PID:6692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user306 /add
3⤵
PID:396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user307 /add
2⤵
PID:6228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user307 /add
3⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user308 /add
2⤵
PID:7068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user308 /add
3⤵
PID:8

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user309 /add
2⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user309 /add
3⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user310 /add
2⤵
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user310 /add
3⤵
PID:1176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user311 /add
2⤵
PID:6936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user311 /add
3⤵
PID:5700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user312 /add
2⤵
PID:6712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user312 /add
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user313 /add
2⤵
PID:6784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user313 /add
3⤵
PID:3948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user314 /add
2⤵
PID:2612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user314 /add
3⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user315 /add
2⤵
PID:6556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user315 /add
3⤵
PID:3112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user316 /add
2⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user316 /add
3⤵
PID:1044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user317 /add
2⤵
PID:2020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user317 /add
3⤵
PID:6836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user318 /add
2⤵
PID:6428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user318 /add
3⤵
PID:6488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user319 /add
2⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user319 /add
3⤵
PID:6924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user320 /add
2⤵
PID:5300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user320 /add
3⤵
PID:6700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user321 /add
2⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user321 /add
3⤵
PID:4720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user322 /add
2⤵
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user322 /add
3⤵
PID:6864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user323 /add
2⤵
PID:6652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user323 /add
3⤵
PID:6900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user324 /add
2⤵
PID:6396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user324 /add
3⤵
PID:7044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user325 /add
2⤵
PID:3932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user325 /add
3⤵
PID:6624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user326 /add
2⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user326 /add
3⤵
PID:6828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user327 /add
2⤵
PID:5908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user327 /add
3⤵
PID:6332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user328 /add
2⤵
PID:180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user328 /add
3⤵
PID:368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user329 /add
2⤵
PID:6752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user329 /add
3⤵
PID:4144

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user330 /add
2⤵
PID:6788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user330 /add
3⤵
PID:5676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user331 /add
2⤵
PID:7036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user331 /add
3⤵
PID:6644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user332 /add
2⤵
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user332 /add
3⤵
PID:3772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user333 /add
2⤵
PID:5168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user333 /add
3⤵
PID:6960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user334 /add
2⤵
PID:1364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user334 /add
3⤵
PID:5196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user335 /add
2⤵
PID:6412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user335 /add
3⤵
PID:6832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user336 /add
2⤵
PID:1536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user336 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user337 /add
2⤵
PID:3264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user337 /add
3⤵
PID:6352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user338 /add
2⤵
PID:6132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user338 /add
3⤵
PID:1864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user339 /add
2⤵
PID:6464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user339 /add
3⤵
PID:4488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user340 /add
2⤵
PID:1184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user340 /add
3⤵
PID:7016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user341 /add
2⤵
PID:7072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user341 /add
3⤵
PID:6912

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user342 /add
2⤵
PID:3096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user342 /add
3⤵
PID:6064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user343 /add
2⤵
PID:916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user343 /add
3⤵
PID:7108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user344 /add
2⤵
PID:6592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user344 /add
3⤵
PID:5044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user345 /add
2⤵
PID:5588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user345 /add
3⤵
PID:6568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user346 /add
2⤵
PID:2984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user346 /add
3⤵
PID:924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user347 /add
2⤵
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user347 /add
3⤵
PID:4788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user348 /add
2⤵
PID:1140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user348 /add
3⤵
PID:6472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user349 /add
2⤵
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user349 /add
3⤵
PID:6968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user350 /add
2⤵
PID:5884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user350 /add
3⤵
PID:2192

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user351 /add
2⤵
PID:7148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user351 /add
3⤵
PID:5140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user352 /add
2⤵
PID:6156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user352 /add
3⤵
PID:2484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user353 /add
2⤵
PID:7084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user353 /add
3⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user354 /add
2⤵
PID:6816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user354 /add
3⤵
PID:5936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user355 /add
2⤵
PID:6488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user355 /add
3⤵
PID:7088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user356 /add
2⤵
PID:6836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user356 /add
3⤵
PID:3208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user357 /add
2⤵
PID:7156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user357 /add
3⤵
PID:4216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user358 /add
2⤵
PID:5300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user358 /add
3⤵
PID:6392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user359 /add
2⤵
PID:6728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user359 /add
3⤵
PID:6900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user360 /add
2⤵
PID:5508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user360 /add
3⤵
PID:6396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user361 /add
2⤵
PID:6400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user361 /add
3⤵
PID:6624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user362 /add
2⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user362 /add
3⤵
PID:6172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user363 /add
2⤵
PID:6880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user363 /add
3⤵
PID:6480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user364 /add
2⤵
PID:6828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user364 /add
3⤵
PID:4508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user365 /add
2⤵
PID:6856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user365 /add
3⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user366 /add
2⤵
PID:6984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user366 /add
3⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user367 /add
2⤵
PID:5472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user367 /add
3⤵
PID:5996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user368 /add
2⤵
PID:6608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user368 /add
3⤵
PID:6708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user369 /add
2⤵
PID:3260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user369 /add
3⤵
PID:3132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user370 /add
2⤵
PID:6992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user370 /add
3⤵
PID:5196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user371 /add
2⤵
PID:6928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user371 /add
3⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user372 /add
2⤵
PID:5984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user372 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user373 /add
2⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user373 /add
3⤵
PID:5644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user374 /add
2⤵
PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user374 /add
3⤵
PID:3244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user375 /add
2⤵
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user375 /add
3⤵
PID:4088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user376 /add
2⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user376 /add
3⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user377 /add
2⤵
PID:6240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user377 /add
3⤵
PID:8

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user378 /add
2⤵
PID:5020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user378 /add
3⤵
PID:7076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user379 /add
2⤵
PID:5456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user379 /add
3⤵
PID:6272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user380 /add
2⤵
PID:6356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user380 /add
3⤵
PID:3096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user381 /add
2⤵
PID:6452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user381 /add
3⤵
PID:7092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user382 /add
2⤵
PID:416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user382 /add
3⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user383 /add
2⤵
PID:6344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user383 /add
3⤵
PID:2984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user384 /add
2⤵
PID:5748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user384 /add
3⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user385 /add
2⤵
PID:6312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user385 /add
3⤵
PID:6964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user386 /add
2⤵
PID:6604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user386 /add
3⤵
PID:3412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user387 /add
2⤵
PID:6948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user387 /add
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user388 /add
2⤵
PID:5796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user388 /add
3⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user389 /add
2⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user389 /add
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user390 /add
2⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user390 /add
3⤵
PID:6204

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user391 /add
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user391 /add
3⤵
PID:6732

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user392 /add
2⤵
PID:1944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user392 /add
3⤵
PID:4660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user393 /add
2⤵
PID:3356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user393 /add
3⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user394 /add
2⤵
PID:6500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user394 /add
3⤵
PID:6700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user395 /add
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user395 /add
3⤵
PID:872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user396 /add
2⤵
PID:5220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user396 /add
3⤵
PID:5720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user397 /add
2⤵
PID:4772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user397 /add
3⤵
PID:4436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user398 /add
2⤵
PID:6860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user398 /add
3⤵
PID:1384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user399 /add
2⤵
PID:1316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user399 /add
3⤵
PID:6652

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user400 /add
2⤵
PID:6624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user400 /add
3⤵
PID:6880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user401 /add
2⤵
PID:5932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user401 /add
3⤵
PID:2436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user402 /add
2⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user402 /add
3⤵
PID:180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user403 /add
2⤵
PID:5772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user403 /add
3⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user404 /add
2⤵
PID:5596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user404 /add
3⤵
PID:7020

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user405 /add
2⤵
PID:6080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user405 /add
3⤵
PID:7124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user406 /add
2⤵
PID:6684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user406 /add
3⤵
PID:3032

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user407 /add
2⤵
PID:5152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user407 /add
3⤵
PID:5256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user408 /add
2⤵
PID:3132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user408 /add
3⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user409 /add
2⤵
PID:6960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user409 /add
3⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user410 /add
2⤵
PID:4520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user410 /add
3⤵
PID:5988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user411 /add
2⤵
PID:6248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user411 /add
3⤵
PID:6352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user412 /add
2⤵
PID:5764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user412 /add
3⤵
PID:4696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user413 /add
2⤵
PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user413 /add
3⤵
PID:6464

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user414 /add
2⤵
PID:4088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user414 /add
3⤵
PID:8

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user415 /add
2⤵
PID:1600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user415 /add
3⤵
PID:5800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user416 /add
2⤵
PID:6476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user416 /add
3⤵
PID:5048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user417 /add
2⤵
PID:4892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user417 /add
3⤵
PID:6592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user418 /add
2⤵
PID:6996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user418 /add
3⤵
PID:3684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user419 /add
2⤵
PID:6692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user419 /add
3⤵
PID:6472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user420 /add
2⤵
PID:6760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user420 /add
3⤵
PID:7008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user421 /add
2⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user421 /add
3⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user422 /add
2⤵
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user422 /add
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user423 /add
2⤵
PID:6872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user423 /add
3⤵
PID:6468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user424 /add
2⤵
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user424 /add
3⤵
PID:6680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user425 /add
2⤵
PID:7080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user425 /add
3⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user426 /add
2⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user426 /add
3⤵
PID:6180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user427 /add
2⤵
PID:6764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user427 /add
3⤵
PID:6252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user428 /add
2⤵
PID:6424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user428 /add
3⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user429 /add
2⤵
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user429 /add
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user430 /add
2⤵
PID:732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user430 /add
3⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user431 /add
2⤵
PID:5540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user431 /add
3⤵
PID:1996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user432 /add
2⤵
PID:3208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user432 /add
3⤵
PID:6820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user433 /add
2⤵
PID:6700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user433 /add
3⤵
PID:4328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user434 /add
2⤵
PID:6256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user434 /add
3⤵
PID:3256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user435 /add
2⤵
PID:6148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user435 /add
3⤵
PID:6652

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user436 /add
2⤵
PID:4744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user436 /add
3⤵
PID:5708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user437 /add
2⤵
PID:6544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user437 /add
3⤵
PID:64

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user438 /add
2⤵
PID:6332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user438 /add
3⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user439 /add
2⤵
PID:4508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user439 /add
3⤵
PID:5448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user440 /add
2⤵
PID:6456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user440 /add
3⤵
PID:776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user441 /add
2⤵
PID:180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user441 /add
3⤵
PID:4708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user442 /add
2⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user442 /add
3⤵
PID:7120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user443 /add
2⤵
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user443 /add
3⤵
PID:3432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user444 /add
2⤵
PID:6788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user444 /add
3⤵
PID:6896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user445 /add
2⤵
PID:5728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user445 /add
3⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user446 /add
2⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user446 /add
3⤵
PID:5592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user447 /add
2⤵
PID:320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user447 /add
3⤵
PID:5988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user448 /add
2⤵
PID:5548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user448 /add
3⤵
PID:7028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user449 /add
2⤵
PID:3404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user449 /add
3⤵
PID:5960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user450 /add
2⤵
PID:6540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user450 /add
3⤵
PID:4696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user451 /add
2⤵
PID:6508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user451 /add
3⤵
PID:5344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user452 /add
2⤵
PID:5420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user452 /add
3⤵
PID:6164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user453 /add
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user453 /add
3⤵
PID:7068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user454 /add
2⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user454 /add
3⤵
PID:4780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user455 /add
2⤵
PID:5048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user455 /add
3⤵
PID:4264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user456 /add
2⤵
PID:7040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user456 /add
3⤵
PID:4788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user457 /add
2⤵
PID:676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user457 /add
3⤵
PID:6968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user458 /add
2⤵
PID:6344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user458 /add
3⤵
PID:5808

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user459 /add
2⤵
PID:6324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user459 /add
3⤵
PID:5656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user460 /add
2⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user460 /add
3⤵
PID:3156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user461 /add
2⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user461 /add
3⤵
PID:2612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user462 /add
2⤵
PID:5612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user462 /add
3⤵
PID:6640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user463 /add
2⤵
PID:3840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user463 /add
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user464 /add
2⤵
PID:3572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user464 /add
3⤵
PID:5692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user465 /add
2⤵
PID:6156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user465 /add
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user466 /add
2⤵
PID:6576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user466 /add
3⤵
PID:6424

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user467 /add
2⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user467 /add
3⤵
PID:7156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user468 /add
2⤵
PID:5140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user468 /add
3⤵
PID:2380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user469 /add
2⤵
PID:1568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user469 /add
3⤵
PID:4028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user470 /add
2⤵
PID:6836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" user user471 /add
2⤵
PID:6400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6380

C:\ProgramOverflow\program2.exe
"C:\ProgramOverflow\program2.exe"
1⤵
- Executes dropped EXE
PID:6976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
Filesize
9.0MB

MD5
c18a7323332b3292a8e0f1c81df65698

SHA1
bcb8f34cbe0137e888d06acbcb6508417851a087

SHA256
9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8

SHA512
4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3067f025-101f-44c8-9c8b-2e289b85a4dd.tmp
Filesize
1KB

MD5
a3542ce8ad859b462a1b263ae3431d5e

SHA1
26b0487f056f8c246b025bd604f3f6a65820e4e1

SHA256
17a1fa6c51c3ddd12a681b1f9cb2f412dee1ad3fbbbb466b63d5df36341ea34f

SHA512
cecbd78032f87bb824e2f28f65564ae6a8d9143fc2af2c6bac75955b2e14ed97b624c9383d47d62b7dc5e7b71d549d8921982f05e43e1de4debd79883419d65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
39KB

MD5
c3937a77b27f7fce8c19ca54200295c6

SHA1
f3a460eb84d33b52080f459eb6d6a075b65ad7a8

SHA256
780962e464fef6215639d410e69ce56c78cb47fff312afb07bcc74f13d369851

SHA512
025c4eb1e88511e4ae3e1829bf85149b1aadd96656fd8f071e9388962dbe5b695399790f1f3fbe4ce547d754e1de6f218f5f1107ed91419566729aaf39e97085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
1.2MB

MD5
153d9573f0f824b040ac13793d95e406

SHA1
f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8

SHA256
c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016

SHA512
5e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
32KB

MD5
bbc7e5859c0d0757b3b1b15e1b11929d

SHA1
59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d

SHA256
851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2

SHA512
f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
4KB

MD5
b0a045877812eff42adef9e5eff65beb

SHA1
e6bd71f481f9a8481bed836bd37ada0ff534ce24

SHA256
2a5951c5fdbe41741678e48a1bf4e17816d62178b9d9b52d9831a364a9aa5aba

SHA512
896a9f3b34fd6bb7250aa44716510df87231ea0e4b19408be3ccba1770a1cf685f1c64da4f8eb9fe196034a41b62c30d09cac9b7ecff280c883e692f445eef55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
5KB

MD5
43bf01fa32c213955d8ea0ec4446313e

SHA1
55bd72ada63788cbb4d70eaa6dabea0c58fdbb02

SHA256
20fea98d9ed0649a8c773b2ac8fb69ad687ef3f3566ab27491200836ab922e2d

SHA512
5d5aa935227ed42905f293665f87cd1c77d31d49e4b4a39a89b378a7c48209e1964a5bd8800c790f9fa33ce841d402985110dcf8c09eb5b366aa4d008428dfde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
3d4f2c0e37bc845e3f90bb6bc529123b

SHA1
c0275c0393d2bdd17eac1f8d091fea34b707db6c

SHA256
4f3d2749d45b6e82333eff6070c3af144d015e8dd7d494c400b0de8aa7d330d4

SHA512
29f5855eb1e30ac3b5a7d208472067683a04eab0dd6a84aa6eb31fc71f28ffbeccea9013350e5e32f301a32fade31de2d8fbe6bb7b6a78d87838203b5d3caed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
618B

MD5
8b2444758b96a74d377a015bb4f51b1b

SHA1
efe545790b9640e7d97e1243a6816b4602699b94

SHA256
ce436af3ff22f908c97b1de111d462f0fb717bd2f52eab1d9aff874c51360ec9

SHA512
dc4eba3ec5fb06b780e439f5372eb52b999deee30e120fe38fb5efcbc3774a0f294e87753d48811cbbc2650a2b81a92e61839b61530835a1dad59262a72693ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
0fcccfc442792191b52558453ebd0676

SHA1
b51d4481b1be53d476aa1dac58837cb5962d7fd3

SHA256
1787015f6e62389747525403d2a972fc3ecdcb03952e3ae0e6af4d945a453ef6

SHA512
b22cce1c92986e011ed952bc0b6396645c84970443f5a9dd8179bbb8348534acf007c51e5a6b0f0fb9e6f5e8ef2f4b021f259cfb90f5d1e93ae17c90169e2270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
ec24399288378128e843c8aef24a3d1e

SHA1
892c70d484e0578cec1902cb0e88771617cc6d32

SHA256
109d4b12d6cb91079baa17018d926c7feaa1b83089fc13c117acb31dd23ad120

SHA512
dba8a9757661de6fca10b50ed5b85354ac01676111b1ef36ec607043b2de67ea490bbb596104c1fbae34954646424fc409c32a8a8d4327b805c361fc011b0a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
76b8e8f04dd45197dad74ce3442aa6f4

SHA1
5e4c65cc4c1e261fa427011c236070fc529fa84b

SHA256
4e246e706d9e790d6db4d559cdcf46cfd4cb40d821d95ad2923360a88485433d

SHA512
e2f8b28bd06ae58a52880120c25edde5cc79abce30fc5b131f1be943a06665422def119342e2f910aab48fe8edd68e6535509c0c9ff15406faf0af3adc4db0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
fc3b17aa1a1d21e9fd12472cb4699187

SHA1
92b73c83b17301b0860f2b8e46f5d2c2c7655073

SHA256
a2f519a3f570deae29b720175cd6c4cf02f686ed59ecf953c9f0619f602a48d2

SHA512
937e47dd98d8a17a8debce2dccff9c6ccef2a744cdef40bff8a9f8fb1500a5c4168fec96d38ac31e5c27dc4c1616ddc090bc150f31cad6969e8f57830f1c983c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b40b2d6408760e92b4f913f4e44648db

SHA1
dc0182c5a77922a8f660ce14e111ee18aa513bd2

SHA256
535ca29c1eb3b90a07411fa415ddf1b12d0900dad727316cbcdc48c70ef202d9

SHA512
3ebc440340ad1fa2077aef59e7790e8054a14f6d5961018b1a30ddb9d14f09f2f1ffb8d53456be4f2184e4f0928fcbe5d715cdbc4b98161c263a63d3fee7e524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
12e1a0fb06ac3fdeab5ac9e4d7b993cc

SHA1
8d2f90789df034d7c2c30108541172ccfbc2f602

SHA256
fda438644478bb974f725a5feea09365d3be48a07be119ad0ad0a1304e3cbed4

SHA512
6745c8cdc7b276a92b751abddd482141e7f51a6cf9018298755e09073afb8315e3dd3c8558dafd6656ef8834aed3e8cfd8de3106e608243ac381defad797813f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
f3a89db556b3c0a08236e5bccb44f654

SHA1
8d65d9d1df715661503f679576e8d06b7a3ed718

SHA256
6beaabe0bb37d88cf17f8d8fb137bfcdf8e3ad07d0f01b6dbafb3eec4bd022b9

SHA512
cf1dbde238cfe5df5047c93b47e9ffe45b798c79c84102ec5220c00d5f62da9b02e2e9e74e041130fcb473f5979cf3276095e0407f41efbe8a0cd93614efe67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
d2468478fd4d92c542cfb83cd53f05b0

SHA1
11bc2be5c07d2ca8f6466a6954f921e3823577c2

SHA256
3cc063abf9a0c99525f8bbfc8adde4f06d69c7a30fc53612216dcda438ae41bf

SHA512
75ee82eefffba5bb05a892db6129dddc6e2166766304785c4b462e62ca47db907f1b91e263040a029acd66d861e5f866b772feb43a22b43d818b6bf57c548501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
aef96f12fa3f3889607bcc25f65aa0e7

SHA1
ca005a16d0464536664bfe75061d00d603626ea4

SHA256
c8ec67dc628304300c37921cadcfff360cd0f15c2875c92b3b232a90d8e678af

SHA512
54ecdfbf2097538765724fc741961efc30ac744e7c2f8c83ba26dd78166fcc5439b19f8c70891478f6b1df9d9cec5c75a74940c441b35226714da579a380dab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9ceedc86171a5cf494fe6b435040d04a

SHA1
30328a37f49d31163fe4e19aba09d3a637385fca

SHA256
9fee066779e5d9b8c5ea653968aba6e73137b38e71758b557a1d96aa3d1fd0b8

SHA512
848951e4ba844fe3401274e5460f34adfa5d414ddd0597541ba24cc6fe0fc3166eaba062856cee9aefb631338ba009346ae6f8669bd330a040d17cb91b0f746a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
510b0569fcaa71592b730aa03559720b

SHA1
cc62f6081916bbdb060033e99f505cd3959a6172

SHA256
1a3c6471bfbd10af8aa68b567d233449dece05088152c3bedf55c0a56c70cbe5

SHA512
fd93a3f575cf656fdc94efaf188f80806fd86ec309874b61ac0254cc1e1aa97a0c0761e24a9412cd9451bedb737db3fa20f6df33a62a6c19659a198f2b5acb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b18862c433f28329c3775f3559ea2402

SHA1
d332893f68d80f287cc089ca8475fb7273ba1227

SHA256
0633cf02862d2ee07ca6b712b732aca5bb285cba920a06d2584bb3458c77f8c0

SHA512
d24df5d9a25b6d488de93992c8905fca5b4cb51c30fd05034409325b4ae6ee2cfa7d24d469cf74a326054a679d484bdee74eea6ecaf4c163ec7f0da2d17945c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7379fa970090de63680e3eeebffadb96

SHA1
fcd2a50e3399448a90d9c8f0b9f441868f529914

SHA256
2ffb07dd0721f367424658bd722c6aa385bb335f809f3b5b284ea4e366f66dd8

SHA512
6721b894104c9aca14052e9e1dd7f5e0adb63d72fd4ffe9cd1067c6ec2c240071e22024ff0fba3a6535c786b08f833090ee2438e62afef9861d0573ae0bff685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1a73a930-70bc-4750-bbc7-e9dd9547e18f\index-dir\the-real-index
Filesize
576B

MD5
9e13c11b5be0063fc6bd5a158430472a

SHA1
815a2ad99094990cb672db530a0e044bf2a2399b

SHA256
8aef567744043106dabfcb8ce64afa3d0c3d1765a91c09392f4505fcba5b2f9b

SHA512
a869e1b52d0f871428ce46a35f9c29d55e65fe739935c1cfdae085b3bfd0fd325bda3e9e6f6160f109790759af58aca7f34bba42d718bb2251ac1ed002dafffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1a73a930-70bc-4750-bbc7-e9dd9547e18f\index-dir\the-real-index~RFe5a9878.TMP
Filesize
48B

MD5
b4418bf64ade02083d6db5d53c205232

SHA1
96520da368648d16d4497f1eddb79ffbded52387

SHA256
007e3b43a95e8176a9b722b5bfc2b98130efd1da32ce85f01560596effe8aacb

SHA512
38243e0c78895f60f88ca04401647b01d36bb46ad3960a5c5883e9c7dcb05675d61ebbb488c8a9ffb818a8da57b18496bb207eada389765e724ca5d0ddc4123b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4ca1f75c-d979-4128-a672-bf328722d8e5\index-dir\the-real-index
Filesize
2KB

MD5
89fad6c151e26549024b057b0a407776

SHA1
a3bc728768c097f1b2e331fd44ae57f6a15dcb5a

SHA256
41e0071f6360188327d3e17332743a85c773fcded7a91629dec6d4e1e3cada6b

SHA512
570d2439e71cdbdd0b43d43f1a1522b802139581005cd2d1c9bcbabfc5517349c3012485f4726ce6abb59878efed9303070ca3e69f0ea4aed33bef8927cf4415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4ca1f75c-d979-4128-a672-bf328722d8e5\index-dir\the-real-index~RFe5a9b38.TMP
Filesize
48B

MD5
5329d78912545f6b2d549853af4ff90e

SHA1
3d1112f8e7f163d0a9adf6f5a9850c375f7f440c

SHA256
9cd56785f8bdb3abcfe4f2cef77ea6fe8db740623e33df5b75daa6cb8b39b0f7

SHA512
eef2af5990d6fa2b95651a661548f9ba1b3e010ae62dc51395ccdb360551c6b12e1d138c05aa72887d6a34cb4269846f4a27e87ea381cea3ea0363e11d617e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
91d57d8ac3faf635fd61225ff66af66b

SHA1
eff09525b20447056bd91543475f9d12805b4ab1

SHA256
731fd1b8c84a59fd4912a565c8e5a27e2f7dd2192e05d90c61e8570f91d12855

SHA512
c1442f16b330412e3eb254381dbfa6be85d3239bb8406553001150a4a649510bdf7485c446271d4c0611336d057cc3d3d5fc3dcfe20ab679c5c780361cfd00db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
0bf016195fd012990a38dc62b259241c

SHA1
dfe5afabc492266791717607ef555727a52e2ee5

SHA256
6003665958e8be8102ae18ec2d8a7aa33b6377a02e1a2e07e7344c28e6da8c8c

SHA512
4744ff9da589a4a393caf8bffa6f08e25bceb9ab48c7ec243f8ec078ca20644eabc5693ce4b26fb9b52449713f0c5873fc18063197a7e165b03215bed0cd0f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
155B

MD5
f2d7cc42c24ed475f79ff27af844553c

SHA1
400bde21b4bcda4a7d31731adbdd263765eb0452

SHA256
3dde147d6b9a81d3c5fb7aa75fc432172acccb539fe3077dcd97ec90fde0b685

SHA512
44deb019f9e76c05db5d4c02c92237d5746ed62c878a1e951f01a5c301b1e29936e39db3957ced973fc4fda90e774dd00642c761c5b78bca4388c23e8fa141bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
153B

MD5
5cfa41e066e75dce18220b485182675c

SHA1
03bd58304a5239e1cc421844551ba869f2636fd5

SHA256
8fd2e30f73d06e1b24fa0a18f0ba58838465c08ad1bff30a2e5e9234a71b7e8c

SHA512
7e941277a20a5f931e65a4e50bd04287d94755ade880e788af8a0773adc8fa212c8884fb164adaa948fabe0fa57e31786baaff56f8c1a2ee162f7e1d5504ccbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
44bf2e7620cb3d95372640ad4fe834f1

SHA1
c2858d710cbbe3e552045a972d58c51fd0b0a2c1

SHA256
d2bf961b12edc9bd4f42f8664a612652ffdb56f4062219619e7d82ca3aa2c50b

SHA512
b891a8a74ef3ee71ba64eb475dd820e561b2cf09f157a36e53d03ee682c741acaca2e77d05bbc2ba855391acb3a8412ab6311d84969f5c285c49c7e25dd00bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
1e03c72844e8813907e0050e6eaa3cef

SHA1
3067f3d400413326197776792e9664e07e32cf55

SHA256
9318e038dc9c22e176abffdaf9dc247ff55e5b7f7d51c8cdf704dc3e6b2f53b9

SHA512
e63c763834ed42da32d2ee7a40ac90a8e569a118269b4d7cf2cf8160765ef9dd7b11323a7e4493f9d527b31ce1083ed71a9941349d2c2b303b64894853d21b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a859c.TMP
Filesize
48B

MD5
fa25242b6a4dcb3e8cb846419c77e486

SHA1
cbc17975810634ee19b195494dbc2153247344d5

SHA256
7221644bc17fa45a8b0dd70d89e54c9b410641bf7baa1f1c65584b876ffdb759

SHA512
403c1bebe6fe5ce57c36a222ea6d33bd9fb62f1ed3b96ff3d34651766492fd16fe68e664bea7a47b08850a1d399a9c93b02513fc92f1f8356c83438ed3d5cd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
70e139a03bf7bc8cafd878c9d8e07fac

SHA1
f589f6d62202e43f2889af1122c57820df0572e5

SHA256
f47afe847374a85d146bbf9f596adaffbd88aacc3f93f2ca091ba5b29960cbe4

SHA512
9ec9f68cae2c92460f1b067edc5e2641e8ed5eb1810c4c6263853d1d4a3f1fa658fa7816b6cd9a038521b91f85b9e3d897f6947c2c285c1b174628bb8f02eda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
591f351341d9c0aa7dfa60f26aaee78a

SHA1
340eee345a1acf379e15cd2f7cc4d28fbf7a57f6

SHA256
663f5f02f404fe1d147c5cded4979e3e46477c0fc2aef306d1a754af72b48be0

SHA512
03593141043a4dfb3c37c26a49e89f390eac67c16afa57f61ba27dc1b26e63c32182dd98e3a7dc8937c85da4ac257ece1dbafdc0bc86240c846410ea3344c394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
070a22fb636de3024c7ae2f45fcece98

SHA1
7c81035beb3262902e314c24effc4e29e127125a

SHA256
8741944bc7fc50125849d241849d95fef49df8cd3ff379e49d81b5dae67469a3

SHA512
5f1849dcf47044bd36d7b36af91678de6eae54a6081d78dfc82758f0b533356350b006fca85ff17c26ab875d045a123566dd9c05a824b2842eee22940fac2533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
504e1e9be9a50d2dfd569e88da2e0c90

SHA1
cc15ea68cd87852c435b19ff98975244dbf5c2d0

SHA256
6d2d515335114889549b8bc5d57b378f30215f5d8ee6bb328a8c7638a33313fa

SHA512
160da2a1a4bcfaa9bd5d1dd3bc502a1496ffddfa1bfb6bd913989bec327941dbac39e23b2000c36532bb559908c64025de190454aabe66cfacdd25986cbd2c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
74cb2dd866e52fd27612cd2f47b8e94e

SHA1
7ad5310b7f053c97ecfe9b81cfb838b366aad3ef

SHA256
2cf7882b59846d3b681239d3b479f557ce898c929409ea9903a02922af4e45e1

SHA512
a76183bf7cdcea0b801401f4eaf0ab129d1fa3f256a3d1655aa0eb2f61ca678b1fd8b1f1fbc94236fdbab46131b7c536578e6b7c6f5b2a0971afa59d8d8d277d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a895934432c8d10a0267cfc1f7dd1cfc

SHA1
7bb572008da10568e870a030f3776eedfce37a64

SHA256
d40ca541c13ab3dc43f1b56d6c5c56a55ee1e94a787f2644be5799fb39fb6dea

SHA512
5c7d2eb6be47aa2b1f4c0cdfa77c8d22da37e0508c6a79131d052a342211992593f431f26b17f2a8468be4571d1c282c621c0484fcbc983fa51ea8b9d74a5691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
5f0220bd9f4ec723e0fdd2a274c18bd3

SHA1
1708740c4f953a00146376e127d40d84a27f5ece

SHA256
4f5f9606a3506f959f3b33e1f0703f5ce2a526325099c61db0e0592008bfb8a0

SHA512
0cd85aff028f1e40b449521bda7e9aaa7035888136b5bad902a46ad59929ccad30eb571dd77668b310aa9e46994d4eb840f0290809f3b9c86408c8b4a04c215c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
085b2ec605f650055d40131066b78b8f

SHA1
755b9e73728c25f36ec67b3596573f71f7ec2cc7

SHA256
86689e5a7231993fb58976c3c5e791bec3b054d85864ec9a0f108c063ad2b1cb

SHA512
a4f5bbc4a4337ea04610f04c360f12747622791d8272fc0fe4228596b83c325604741c8db243f2f42c46fb878283193a7c148cd192f778745e6d51b0d647ba73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
d5cf43a67f7ccc11de2ef52311abf1b4

SHA1
4820cc44d913b41594daaaddc10901aae70f56d1

SHA256
a5d02be0472c6ad81615605d4a69ed0564739561f1aa1fc5ce721ee33cd837f2

SHA512
be25446c78c3e30e904ee291178e5f94f92a36f99f6c792a4f874415f47cfb375732bfef94c4f19f3fdd74a4fd17afca47a056150965ccb6a4f41c97a4d8688d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
6024ac1b9b119e3c00da1890c94d138b

SHA1
e917a51b182c0a0f5c58452d5d389d8b93045e0c

SHA256
bdfd45be4c533b783f2272c44d6c171f23600a9f1b76e89a9fb2a73f196c8c22

SHA512
508f4e7bd1a4fea2915a081842a834230f877b6901611763b215287ad5b9fe1a13bc6552f2e9827f7316c766d4631f8be58ddcb96121df8a589218e3e2ddf183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
c0d13e09fbb1e118c9233ad3693d59fa

SHA1
e207f1c8441937362e9df79b8b9e3bb095bcfae9

SHA256
bc875b3d128b1a0342df419d9ae1c2b82b97557c731a5e1423fc9edb73ff67da

SHA512
026cc11f696f05620b123487770d011d001376719e78a80b083cccbab0a33453425d858187a9d7cb6c853bdeb83f3d8cb9ae07555e08c314923e6936dc2aa362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
abd4977eb1e1bb57d0fda4530128042a

SHA1
bab884e9c6c2d01c56bbbc45b2b8d9b71304834e

SHA256
2fbccd3515dcc2f48c3b39f6ed027cf21efda289847c963764ddd94c423d8a25

SHA512
17ae735387dd8bc93052719e1c27eb972798e0b33fa5eaab8aa0c022d963dd47df424757ca4a9be48a84c99fb2c8f36f07e235323cabffd463c3a34b6e8e49a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585f22.TMP
Filesize
538B

MD5
9a5966090553cb080dad258c89a5f696

SHA1
041ecf8995aa866f089300e3b1127261ff91e507

SHA256
71e4b50e0721695c1387cb9c09e8a651e1a510d9513763b35d15487a4aa326a5

SHA512
f88855fb7f4fd15869617a5ae68e260ba45a932e9a1335b7f88c86497d1b30975eda44dde4471c877071d123df9a51cfe3a3239a57d18ad1c95641c43b83de91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
cf5d492e9550dec44b4fb5f809c8f96a

SHA1
c0e4eb68c360b638ca86b7ddac772ad973efaccb

SHA256
78bfdccacfedb7e6bba4188e5ce2ec7ac06939aec73626febf83a258e6640a03

SHA512
ef950f3f57ca31d6173e04c1c55da2b2df7343ff161fa0775e58878a6a602e22c28c8aa32192a1d79967e7a8f1b0714bc762581cbc0efe3a78f6ff0d3d8092da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
444c7269fbecdec7c62c5a397351708f

SHA1
94c46ff03364c5f0c5e2be8b61c25180b3a4cd0d

SHA256
eb17536f152c326062a82b9eeffe6df0c2ec4dc3c0fea318186eb7d19a06a3f8

SHA512
d6d634788387bff92d478bf5d8aec8beffb1ca0763f89354fcba19ea5d8d30b8d66a29e2a35512859238948870aae2a274a90f97f8dcfdfc02f6d7c02c1d431e

Download Submit
C:\Users\Admin\Downloads\Activation Security Warning.zip
Filesize
437KB

MD5
22c615e3ede5c9ce4b0e6b157d3cb5a8

SHA1
4ade6563786d60e20d7d9e004cbb669db2f61f96

SHA256
36652fe4c6d926fe6398d49a448b138fc4eca926341bc7feece230dcd540dca5

SHA512
0dfcf308be70663966625a23c5acd8763a0e2644da7d5965aef168764a44c4200d5116af8f27dee0b8da12783f50d3ece95ec29b53e690673d0a1b859e2b8328

Download Submit
C:\Users\Admin\Downloads\AnViPC2009.zip
Filesize
1.1MB

MD5
9a38c29ff9e12ba2892381eb51c79934

SHA1
76fcf6bcaac32f624fa0154a9177e44469b5886a

SHA256
45b75a116aa3b07f90a7c2d9a83c2cde524797df88bb5e20f9dc1e74d8527861

SHA512
c26d8c252d6f18a2ae4419bbfe27099862a625cbc40d8f104fa20cb361da112ebe6a17935ac3613c24b58f9c291d2219e55f59e0fa40b81f92fccf190115e734

Download Submit
C:\Users\Admin\Downloads\Fantom.zip
Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\ProgramOverflow.zip
Filesize
560KB

MD5
44481efd4f9a861444aa0aa05421a52e

SHA1
22e9b061f8fc3147dd0ec8a088a38272b0d30bcf

SHA256
7b8632db07cb8693963402624e6ad884187b23f81ec7968fba2631909d5919b2

SHA512
819cf783345751f6fb000142b59ebac5b72c8878adfaec1c9472bf242d7a469cdf21a2d89c6e292599606f19782c1951752f763bd89efed35e1b0f2d2fd52827

Download Submit
C:\Users\Admin\Downloads\ProgramOverflow\[email protected]
Filesize
566KB

MD5
c4aab3b24b159148d6d47a9e5897e593

SHA1
7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

SHA256
03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

SHA512
9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

Download Submit
C:\Users\Admin\Downloads\UserOverflow.zip
Filesize
564KB

MD5
e63eb8701abeafc17e18807f996a2c4b

SHA1
e11387f6c188416f43e1a72f4ffdd759f4e43e54

SHA256
7eafd43c18f9613d762567cb5e00d58df71208d6b94c23d634daec42170e0d6c

SHA512
d996ea9566a588bb30fbaeb38435026804b80770a22a1438589e86e47f13ef07187538a105613bfc907bf9a6a377805f69d9e9de071e7ae57aeb11d4ac98a136

Download Submit
C:\Users\Admin\Downloads\UserOverflow\[email protected]
Filesize
578KB

MD5
533d78fdd538bbeee31fb0b72a8cfb7c

SHA1
cb0e46804e784525f5bece40d51772bbdd9a5dc4

SHA256
b7a4fcc7f474c091edc09349af5e53915d23f14071d78a3026c92c49d2467989

SHA512
85e393cbdd2b20da8892173c7951ddf8e75dbfa29cf81fa725a2da56e606b848ea8a6636528d4fe26eca5e6b251406ec870242fe0d44e7863bf22c739d7759d5

Download Submit
C:\Users\Admin\Downloads\Windows Accelerator Pro.zip
Filesize
1009KB

MD5
a42319a2a4e6e8a3ab825933b417a747

SHA1
d27bec4e51652aa5a0e3e9bc27aae3a7a79638a5

SHA256
6e6f0f4912aeadc81622c01e62cac6bbf02cd34052cdca2da582c92005275105

SHA512
48c9eeb57e3c75ebf77ec3744c019eea2ced66ad260536718b0b8599fbc9612ea5456b19be7b30928c089e438336360249e8738eacb2cb9410449dfa55de68c2

Download Submit
\??\pipe\LOCAL\crashpad_880_YJQZQGDNESJKWOCU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1500-6090-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-6086-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-11083-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-16743-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-6076-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-34784-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1500-6066-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2104-40915-0x0000000068440000-0x0000000068457000-memory.dmp

Filesize
92KB

Download
memory/2104-40977-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

Filesize
56KB

Download
memory/2104-40914-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

Filesize
56KB

Download
memory/3160-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-41025-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/5680-1295-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5680-998-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5680-5351-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5680-5976-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5680-1045-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5680-1008-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/6724-41005-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/6724-41009-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/6976-9425-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/6976-6089-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/6976-6087-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads