5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923

Resubmissions

28/06/2024, 02:19

240628-cr3n9swcqg 8

21/06/2024, 17:11

20/06/2024, 14:32

13/06/2024, 21:29

13/06/2024, 21:24

13/06/2024, 21:01

Analysis

max time kernel
234s
max time network
236s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
13/06/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VineMEMZ-Original.exe
Size

39.6MB
MD5

b949ba30eb82cc79eeb7c2d64f483bcb
SHA1

8361089264726bb6cff752b3c137fde6d01f4d80
SHA256

5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923
SHA512

e2acd4fe7627e55be3e019540269033f65d4954831a732d7a4bd50607260cd2a238832f604fa344f04be9f70e8757a9f2d797de37b440159a16bf3a6359a759b
SSDEEP

786432:1fhwEXgLYTou24XbHzjkgV5bQAH/AbkP1hn0qPQPrhBPC7wYqljbdPIa:dqgb84DPn5vhbIPdZaWljbdPIa

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	MEMZ.exe

Executes dropped EXE 6 IoCs

pid	Process
476	MEMZ.exe
1528	MEMZ.exe
5056	MEMZ.exe
1300	MEMZ.exe
4060	MEMZ.exe
4412	tree.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopXmasTree = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\tree.exe"	tree.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\Pussy.png"	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
1528	MEMZ.exe
4060	MEMZ.exe
5056	MEMZ.exe
5056	MEMZ.exe
4060	MEMZ.exe
4060	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1300	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 46 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4708	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1300	MEMZ.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1300	MEMZ.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 476	4616	VineMEMZ-Original.exe	80
PID 4616 wrote to memory of 476	4616	VineMEMZ-Original.exe	80
PID 4616 wrote to memory of 476	4616	VineMEMZ-Original.exe	80
PID 476 wrote to memory of 1528	476	MEMZ.exe	81
PID 476 wrote to memory of 1528	476	MEMZ.exe	81
PID 476 wrote to memory of 1528	476	MEMZ.exe	81
PID 476 wrote to memory of 5056	476	MEMZ.exe	82
PID 476 wrote to memory of 5056	476	MEMZ.exe	82
PID 476 wrote to memory of 5056	476	MEMZ.exe	82
PID 476 wrote to memory of 4060	476	MEMZ.exe	83
PID 476 wrote to memory of 4060	476	MEMZ.exe	83
PID 476 wrote to memory of 4060	476	MEMZ.exe	83
PID 476 wrote to memory of 1300	476	MEMZ.exe	84
PID 476 wrote to memory of 1300	476	MEMZ.exe	84
PID 476 wrote to memory of 1300	476	MEMZ.exe	84
PID 1300 wrote to memory of 4084	1300	MEMZ.exe	85
PID 1300 wrote to memory of 4084	1300	MEMZ.exe	85
PID 1300 wrote to memory of 4084	1300	MEMZ.exe	85
PID 1300 wrote to memory of 4312	1300	MEMZ.exe	87
PID 1300 wrote to memory of 4312	1300	MEMZ.exe	87
PID 4312 wrote to memory of 4648	4312	msedge.exe	88
PID 4312 wrote to memory of 4648	4312	msedge.exe	88
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 136	4312	msedge.exe	89
PID 4312 wrote to memory of 4872	4312	msedge.exe	90
PID 4312 wrote to memory of 4872	4312	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe
"C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1528
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5056
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /main
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=free+midi+download
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
        5⤵
        
        PID:136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:4872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
        5⤵
        
        PID:2000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        
        PID:1936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
        5⤵
        
        PID:3672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
        5⤵
        
        PID:3036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
        5⤵
        
        PID:564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        5⤵
        
        PID:1168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
        5⤵
        
        PID:4812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
        5⤵
        
        PID:3172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
        5⤵
        
        PID:844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
        5⤵
        
        PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        5⤵
        
        PID:3552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        5⤵
        
        PID:3212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        5⤵
        
        PID:4268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
        5⤵
        
        PID:1920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        5⤵
        
        PID:1064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        5⤵
        
        PID:3936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
        5⤵
        
        PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
        5⤵
        
        PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
        5⤵
        
        PID:1872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        5⤵
        
        PID:1484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        5⤵
        
        PID:1172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
        5⤵
        
        PID:2208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        5⤵
        
        PID:4512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        5⤵
        
        PID:1172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1524 /prefetch:1
        5⤵
        
        PID:1564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
        5⤵
        
        PID:1100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
        5⤵
        
        PID:1084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
        5⤵
        
        PID:4876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
        5⤵
        
        PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        5⤵
        
        PID:1560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        5⤵
        
        PID:2504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4360 /prefetch:2
        5⤵
        
        PID:716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
        5⤵
        
        PID:3128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        5⤵
        
        PID:1304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
        5⤵
        
        PID:1168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        5⤵
        
        PID:708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1524 /prefetch:1
        5⤵
        
        PID:572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        5⤵
        
        PID:4864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        5⤵
        
        PID:248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:4936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
        5⤵
        
        PID:1096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
        5⤵
        
        PID:3024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4406225668458069407,4516236759851397273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        5⤵
        
        PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=john+cena+midi+legit+not+converted
      4⤵
      PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=limp+bizkit+mp3+download
      4⤵
      PID:1552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:1224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=bad+ass+mafia+toolbar
      4⤵
      PID:2032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=stanky+danky+maymays
      4⤵
      PID:4596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=preventon+antivirus+download
      4⤵
      PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:4924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=succ
      4⤵
      PID:660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=is+bonzi+buddy+a+virus
      4⤵
      PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/results?search_query=tootorals
      4⤵
      PID:908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=expand+dong
      4⤵
      PID:1876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:1484
  - - C:\Users\Admin\AppData\Roaming\Data\tree.exe
      "C:\Users\Admin\AppData\Roaming\Data\tree.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=smash+mouth+all+star+midi
      4⤵
      PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
      4⤵
      PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=how+to+get+cursormania+in+2016
      4⤵
      PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:2612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=skrillex+scay+onster+an+nice+sprites+midi
      4⤵
      PID:3928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=snow+halation+midi
      4⤵
      PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:1460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=cortana+is+the+new+bonzi
      4⤵
      PID:2284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=animated+christmas+tree+for+desktop
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c1363cb8,0x7ff8c1363cc8,0x7ff8c1363cd8
        5⤵
        
        PID:3128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6643929111901403705,4747297854861810795,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        5⤵
        
        PID:2820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,6643929111901403705,4747297854861810795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:3
        5⤵
        
        PID:2536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,6643929111901403705,4747297854861810795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6643929111901403705,4747297854861810795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        
        PID:2472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6643929111901403705,4747297854861810795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        5⤵
        
        PID:2100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55336d6efe5d3fbc638965ea69ec5bd7

SHA1
054559c8fd0e23a85077d5681921b4fe6de84236

SHA256
ec90601f2f5a4de1ae640128a2d6164bbd401c46e1ff8337011166cea4e308ac

SHA512
7bf2478b8f8cac5c711e9603a0efefa8ee8a9bc8b6bb6f9dfe8002d92abe96c15d7d2fe9d4fe7966c6b8812934373f5c11f4d4c4c8b3520fabaa5fdb970ab877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ccbc5c76b4746b15bdb06d3b4b83d952

SHA1
d8490493a9267ace2535ab5190f73152721e6801

SHA256
0a019dc741215b861607e3d3829d2573776a8cd2f55bd29e47df786580a0dca6

SHA512
62b98e3704a5b92da027328b971d47ecb822c72615bb701b6f86be208374ea25caffeebc1ca5272fca1cfc62738452417a9fb9b841cdcf8e7cacf70c816caa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e7391cd609910949b9a7d0f5e5231c2

SHA1
caeaf38bd7da69879593cf75ca3fb6fa20b575fa

SHA256
f10db9ca908c73c723642b4321c9f24559dea846c0bd07d6816b3bc9f2d24a93

SHA512
053e70afe1f2a4f5306304978e80650aacd06cd0c6fa530da7b6d15a7a89e29a8a7d9b3aee51901ae79b71e627020279dd7a05772258bafb65d6d6ebe2b34f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e757db4d49a9af3426512afeeb9bb93d

SHA1
ffe4de947c6958fc151dc315c08198e9508f8025

SHA256
805ffa4f67c46d8b7ea78dff53703d0c9767de4dc5a191c653500ad2aea6493f

SHA512
fdd09a7208d53f8e5e2eb54ca5410881cee470e405d4bb3fadacadf6c1fb5bc0bd69e913d609e68584b3074d5c6cfd0251d256c55c3b0c9df0b490817a412dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7a828c207ea94ca0f8e697e5ddeb810c

SHA1
a56810b8a2913ccb9882e3486bff7f709044c618

SHA256
d01b9b116e66389eef9cc650d676f9601402cb114ceb6c07ac9692b2f6050430

SHA512
30804781faf665b30ef0244abc0da2299b76462aed67ce0091ee9d73f2adc01cf0cc867f295b217671dd2f81fba63a5a7f789852ed682f331f51fc742c02152b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
20aee9a60aeb617e3a04ea983cd5a844

SHA1
f7658474362b19c638de8754808b7871c30869ae

SHA256
c9933b9f62d022eb8385fc095d834223f701fab65b9ce3cd7a5d1d81b124f037

SHA512
dde1cdae891653751b5b54765f1b3cde757a493a56561122793ccfe755c2ee07ad91e5dca46a97014176a7861043609586e86a5868268b9b318a0dbc491e8336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c0a539243278435d58b86f9d9896da4f

SHA1
a6665ef91cc75716ac1249a3687da7cb1f508424

SHA256
10cc6a667b808b27f0a892a77ef8913a81fbfa040e14a58807c5fb2a02753510

SHA512
f77521715346725adbad443bc5593dcc905e722ec68fd37ff7c2bba8d0c946786e341656215bab4f008c3c8eb870a3c0751221658b4f369bf713e537f324b088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e568c90c2bfb273594bfc3a99e5f1355

SHA1
100e56503e88141df1c115ff7d463b9e80b7d183

SHA256
2282357712d9c6a473b488616a686e8ad0a377b982fef507de285374e7ad91d8

SHA512
726b22656c12216f8745fe70c0f322d9417f3e17d2f3fbc7de9e972ae76a6eacd13e987da5ac52d06e5b6f6caa7a0aff7f66fde5f3bb08e02f28201f182018e7

Download Submit
C:\Users\Admin\AppData\Roaming\Data\1.bin

Filesize
7.4MB

MD5
0b3c41fee3a69110fb58554519cd4639

SHA1
9537cb0405973ae630c3d926cda6a2825b9288c8

SHA256
587b3d5078538290e49d2a8fd1740a8fc7960a0faaea4d5cae0959d99ed14fef

SHA512
ad2eb4a04db685649d70bdc521cf59f570d5407d284f5bb419efc60b94802d91a755417ba4bc44bceec78b155295b084fc6edff31d4760c08058cc04ebdb0008

Download Submit
C:\Users\Admin\AppData\Roaming\Data\10.bin

Filesize
452KB

MD5
a2f47c218e2507db3b22eb7e6d780001

SHA1
218a59915bfede4b5cbf2427200566709aa05bd5

SHA256
5b60fc854544978a715bcbca8f5a3abd28bcd0bd8b50fb953318640f7a266d37

SHA512
ae7152c080773d3910eeb05a47cfb551875e65dc5d88734114d03a6526348164caf179f2fc3b743850ed90b4fb80542e8b36ca31b3ef8168302500fbc0a701ff

Download Submit
C:\Users\Admin\AppData\Roaming\Data\14.bin

Filesize
479KB

MD5
e80a37c42ca0d2bc7f004afc4b822d6a

SHA1
f17361409ecb19135e3b4292199fb69bd4b012c8

SHA256
71ec6f96779240d530ddf16fecb1df97661b9e1ba8201135459729c8d4d2bac5

SHA512
b3ff7e71af33dc3368a198de8aaa4cbad8daf7ae90b3d398fe9f2cde490bacca07e6bcce08f6afec5943b634a2ed0ef9b121b89a68992d22bf3f831b6f33efed

Download Submit
C:\Users\Admin\AppData\Roaming\Data\15.bin

Filesize
528KB

MD5
3948ca5e92fb2d019a8f16765f7a5e40

SHA1
5290a66876ab0f62ba34b6b524a0e7771e31ee3c

SHA256
ca362bcaf0e62fca16febafc2d15cbb1ea92e2ad6cc22fa5337316ab8bf2bc27

SHA512
ad56d867e1040bfb5b2998a2d62ffc508989a5fc501f22ab775bc9f715f1cc2d4ccb0a899f8b2a82e7597bf715ad70b6826875e72e23273ef306f5bdca47df03

Download Submit
C:\Users\Admin\AppData\Roaming\Data\2.bin

Filesize
353KB

MD5
8766dce04feb646bf62206d64d6eb0ba

SHA1
91c5d588028c6c949e9cbcec950bcfaa35a791e4

SHA256
f87e1ab69bef059744ee9244f37b0f21ef7d7b06fc5245094cfa22637ef6ae9d

SHA512
0bc8fc880bb94ad55a732f2be207d88a6bb0ae8d97f91819e889d04420a71ae5d91af21861bad351c5fd7f4e944c1899b17df326bf19d310cc31a95fd38ee6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Data\7.bin

Filesize
372KB

MD5
22df6fab4552241b0a7d650a15a336d1

SHA1
1e2b12c9ce52e5b433413d28d96be0974f6f7390

SHA256
d47f4fbfe7d145a737cf2e9a6c519e38510957a2ae663d4295e00ce0f6e651a2

SHA512
505a53580f7f76df021a466fdaec6ad8230ba04acc7115286d1a801d51a686fce08a23aaddaf0e134e94ce822191892987db8541edbefaa6928a2927c5508292

Download Submit
C:\Users\Admin\AppData\Roaming\Data\8.bin

Filesize
408KB

MD5
5ada580c290b53327fc8db29d5cd66c5

SHA1
a504aff6a9fa93bf4ccb69df17b5238804c659f9

SHA256
5dcf1f4b285a6dd70ec7acd77eeb5752a3d381a8a697eafd394fcde615f3ba63

SHA512
36da1958e7b4fad5367b257d9343c4eab59d50b01c610514d48eae2d0eeabf7efd06dd8fc63551a0a7e11df91aa3ceb063003cdd9c30c6755431ba218524fd49

Download Submit
C:\Users\Admin\AppData\Roaming\Data\9.bin

Filesize
13KB

MD5
f0e3d4ad2f1d09acf314a9e7a92777ff

SHA1
958224c3c98945c38f4e12ad6d1c64c4b91e189f

SHA256
b897644e314b31e0dd5159d061b9e77a512178f29a9f36076ec105e286212bb4

SHA512
28ccc056d2f5bde039cc3502a584cce3baa5cf9700fda8775344935438a6951989b3a24903693ac5e5292ff250cc27f338b783b29191948bed7ff4cc8038c8ac

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
21KB

MD5
5761ae6b5665092c45fc8e9292627f88

SHA1
a7f18d7cf5438ee7dcb4e644163f495d3fa9c0ef

SHA256
7acabca3631db2a73a5e20abd050097e44390ead1d74717aed936601904b73c2

SHA512
1d743b407663e00a296c2ae45cb5a05a0866657afafbc9e8220e4c1839cbab2c09bf2a3510ec8016f902ccb7254edddf2a3412e7f5a4cafcabbeb5724a67b46e

Download Submit
C:\Users\Admin\AppData\Roaming\data\12.bin

Filesize
5.4MB

MD5
9e0ab3181d32ac9950dbe1026b197207

SHA1
d8b53f3a93d5e2df9507b6256f2e414712347256

SHA256
a3091d14161d268924a4d6195f820c64b1811d6afbd6948dde29e267ecb56cae

SHA512
424f8f0a6e945fcd831ca0d0f73f898dad0214f38cc477cb3be8b161836e349cd5d629444033e134e2fd6b8c85cae088f177aea4e26d7192a4f60a5739584c2e

Download Submit
C:\note.txt

Filesize
133B

MD5
910efec550edf98bf4f4e7ab50ca8f98

SHA1
4571d44dc60e892fb22ccd0bc2c79c3553560742

SHA256
7349f657a8d247fc778b7dd68e88bc8aba73bf2c399dc17deb2c9114c038430b

SHA512
320de5e34c129dd4a742ff352cfe0be2fac5874b593631529e53d5fe513709ac01f5d1d3dfae659f36a2a33aae51534ec838f5d3748cd6d1230a0f3d29341442

Download Submit
memory/1300-52-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/1300-48-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/1300-51-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/1300-50-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/1300-49-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/4412-379-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4412-395-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4412-437-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4412-443-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4412-558-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download