hxxps://ptoszek[.]pioterontop[.]rf[.]gd

Resubmissions

02-09-2024 14:56

240902-sbf4bstejb 3

02-09-2024 14:52

240902-r8xlxasfmp 6

02-09-2024 14:47

240902-r6chystdjg 6

02-09-2024 14:46

240902-r5b6sssepj 6

Analysis

max time kernel
254s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ptoszek.pioterontop.rf.gd

Score

6^/10

discovery execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
114	discord.com
120	discord.com
281	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{D994DD69-D9C9-4A9C-A6C3-112A3FB0EEA6}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{B6006E69-6486-45BD-A29F-579D40658D08}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2516	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5440	vlc.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1408	msedge.exe
1408	msedge.exe
2056	identity_helper.exe
2056	identity_helper.exe
4404	msedge.exe
4404	msedge.exe
1568	msedge.exe
1568	msedge.exe
5148	msedge.exe
5148	msedge.exe
5388	msedge.exe
5388	msedge.exe
5248	msedge.exe
5248	msedge.exe
5564	msedge.exe
5564	msedge.exe
2436	identity_helper.exe
2436	identity_helper.exe
2768	msedge.exe
2768	msedge.exe
5508	msedge.exe
5508	msedge.exe
5516	msedge.exe
5516	msedge.exe
2596	msedge.exe
2596	msedge.exe
6068	msedge.exe
6068	msedge.exe
2692	msedge.exe
2692	msedge.exe
2652	msedge.exe
2652	msedge.exe
3396	identity_helper.exe
3396	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5440	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 58 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4216	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4216	AUDIODG.EXE
Token: SeCreateGlobalPrivilege	15488	dwm.exe
Token: SeChangeNotifyPrivilege	15488	dwm.exe
Token: 33	15488	dwm.exe
Token: SeIncBasePriorityPrivilege	15488	dwm.exe
Token: SeCreateGlobalPrivilege	11520	dwm.exe
Token: SeChangeNotifyPrivilege	11520	dwm.exe
Token: 33	11520	dwm.exe
Token: SeIncBasePriorityPrivilege	11520	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1224	CredentialUIBroker.exe
3188	CredentialUIBroker.exe
5440	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2392	1408	msedge.exe	83
PID 1408 wrote to memory of 2392	1408	msedge.exe	83
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 2812	1408	msedge.exe	84
PID 1408 wrote to memory of 1180	1408	msedge.exe	85
PID 1408 wrote to memory of 1180	1408	msedge.exe	85
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86
PID 1408 wrote to memory of 2768	1408	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ptoszek.pioterontop.rf.gd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6c0f46f8,0x7fff6c0f4708,0x7fff6c0f4718
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7844 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8424 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8440 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,8799659454385950550,3897495958585343083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SaveInstall.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7fff6c0f46f8,0x7fff6c0f4708,0x7fff6c0f4718
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7064 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,407557237768184052,3183798561976857436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6c0f46f8,0x7fff6c0f4708,0x7fff6c0f4718
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4206935112541477133,966187543009047517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:1684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UnregisterOptimize.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:4200

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\90957ab27282474ca0dfe7d9f20ae4a5 /t 3956 /p 4200
1⤵
PID:6020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SetUnlock.js"
1⤵
PID:3796

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BlockSearch.mp2v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5236

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\guwno.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\guwno.bat" "
1⤵
PID:5424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12688

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15488

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9a35e10619e92fe055bc1ed9a2767107

SHA1
9abb6520603eb621d39a8fef96bbc008a8df4f27

SHA256
5906159de73933d3b5d0ca64cf4ee4504c71b4ece33c175886ab559f423df815

SHA512
782cd307d3ab9aafb39bc1434a096a13ec898ff5b09478c60f6728f321cbb21a8c1dbd681b507cab5e632baa5ea4e2c31b99715c7ab1402dd27efc94bed72cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f43cadf854f0194c3c795c38fef8f03f

SHA1
12e23328ccd89cb13c8486ec4a8a295e22f6c25a

SHA256
3e865e079793509b47dfa42710a6f874b83aae3c2387cdd551b5357ff5468778

SHA512
cc31b27c200d403b561ea1a73ee2aecd4cfddb009a62587a19b286d8177c95f89ffab2119f3637f38c2b5d50670ece835133edb1c24355a99367a557cb4f5fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3df1a39f-0c62-413c-a5df-e8574e2032e7.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53c025a4-f577-44a2-9b42-5ea664e3b56b.tmp

Filesize
5KB

MD5
1e990ebffcb1f986e210054db547f4ae

SHA1
c544200553205984278f496413ca69e72eac5951

SHA256
c7d6266f6f0267878c3ca7261cc10e3320ff53d97e8e7a28ae7ff611aa51b870

SHA512
c5de043ba5a9a17d8762cb63a0411a2de9f78a45473dbfe44a00b298a5c7a75f3ba892b10c7f6ec96faf0437bb42e8f7b2aa8194c118c5bbb248da4babd7a0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f9e96cefec342c6854b9e1ee86e405b

SHA1
738bbaac3ef4d926f512c6c7fc1aecc8c39908b4

SHA256
15f9990e9df78e2cf48359870430c488beaed5751fdea73836047896df84b25f

SHA512
d1dcc2019563028aa5ff59243a1c6e9f9a4ed743de5a716fd0cf39e85af4c2961d209beb40c034497c50dbab77781cb0f9fafe59e47a816cf4a9b66ab91b9fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
3457094461f7e3e4743b9296f9ad1d43

SHA1
024ae62b628a80c54ccbb62fc317f79a28c41a3d

SHA256
c91e99d2d7c05345e64c15df9edc4668aa1fb1b65ff89ff7f12bd9979719b8ca

SHA512
92a255b077e524ff7aea9b9bbecf5e4219d122709d6462bc511d5bcf075159f4481cdc5eeaaea5da62ca7452fc887cbfe5ea7e009b5cec2def219e80a6d12114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
19b6f644039566078138f6883b0c5b7b

SHA1
ad9cf17386d2b2dcff812c657ebc337da8787444

SHA256
4914c62ca8f5e48d68f747b7c88bd2f61750dce95a24c433d8d4dc8a5a951eb8

SHA512
93f0135eff5d222faa42cfaf4d9e0a25ebf6e9b915fc330262edf98f88fd3f7e42264af021aeca3357439f5e6d69a2c07822be90a62a973d19625c1e1b8ff73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
6168235b5b5194ff6dfcb4f95c8b7905

SHA1
1e488e118dd910b6a84d35ff0d7fda994bc195e5

SHA256
259f081a0ec8c3d3802baa77e709b350ffe7daa27e18a9095d518f79973b996f

SHA512
c0dbce6c2b1ba31dae95a88ffe65ce24fe873bb1e3d9082ef231d791cd465366855d0e3103217a18d44674ed7ab09fccc66512c1787a7ce23fd547e63c755bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
bf1e20ee080a3d4fc78f9a3f3353dbb9

SHA1
0ff3c9d92cce40fb2a48f8c490f5465d60bd6b57

SHA256
a37ec92c2c3d19a5091d5bc2ffd5102e89d97e867f34c8c7b6f638b038c70d08

SHA512
0885fecb2d4c7b0a3744ccfc9be8418286897aabce01035ec3f86d180c7cac903a068214abaebd07b0042e4135b40b63aa5154a770d087619fa5b33d5b1b1283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
0311af6c9710c4d0055552806fc25249

SHA1
c45b950f3d2cad7091ab29a76464377ee7bdae03

SHA256
4c2a562a101d67ddba1f5177b641f78a3892da5818a3238b28a4fb5008c09476

SHA512
d5681a0be6837f0a3739072faf1be5ba6764dded29087195924dc8760c59927cd1d67824543ae8ac1fcd95e53c508c9b3302d6672ffaceccead6c0f5460486d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
cccbf921b5a617bc3ae5f08ee7435e05

SHA1
5e3b3baf398b730b531b960b547d5e8ccdd9291e

SHA256
eed9585205418476bf40c10e63fcef066ef27e7d3bc41c5d6055ef0ccfdceb8d

SHA512
860b12387b5235adbc6a5cbaeed9b7251a02cbd47d3a9826590ed6491778e8954e0c69aa189c837c9b4128b487d6cd9abbc2a84319d748e3b994b83cf1f19f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
56fffb85ed10164cf890a75cc0590d09

SHA1
81bf539a2651ac28a5cfc5e724a9aa27de4b1645

SHA256
8d4be93c61bb195382fcc3d22e7a122c3b9cb1d2ac53dd4609c79799a027e0a0

SHA512
fae04c11b9346b421f24d7b0194fef39b04857af905cafc84e23846573da4005cd3d45a0be83be160c6ff43b6ccfdfe8e288a054848bcb543857825edcfa6d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
184KB

MD5
191bd120a836fc27d02f53c68b5285ad

SHA1
9ea8c6eb718e83cd1ad9499964af2733d83e53af

SHA256
e138dc7de57d1eb05e3ce13b4d00392873d57bd20cdba3ea0d826755ea1945e2

SHA512
8fae3a0eff5b1d8283f3610b6f9f2cdbccbc790201acb0304bcd8cd7ee7237b34e3bba8e4f79b60971ae29d8ad86c1c2b06f91abc98e52ebe5dee24832cd113f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
28KB

MD5
ff3a8c06d330330e9b4fbf78616f06ce

SHA1
e01ccc9330a99e9dda10c466d7c3a853d85f83e9

SHA256
8e61ec62e64ec26bb914ea87276192a25357c598c4a0e050686fd72ab27d3825

SHA512
5afd9eb2fec34d39dc8c40e0afd6eac506de58b7f256dc09bc9c526544a41459829b5a9457ab4ba16b69cc11b393dc94c1e64a9fdd68e43f221f19af0fd4ea3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
354B

MD5
91cc03a73206de28ac5d440e96f1f85e

SHA1
4e50468c4c939544de2eff6c7dc34a77a37ca47a

SHA256
802361f793c23896d4a6ff04a34d9631e0e2bfd09fdb709fcb9f2f500a2e471f

SHA512
0252bd64ab2a3052a36753471e76d34c2542cdd9e0cfbe8d85ff566f6338c72b3ec82ef8de0ddff9577128603b2141674586c2423ee54f25551421ea9de3f72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
5ddaa94ced9149b1766cf220203fe9b3

SHA1
0b19faaaacf730cbc6596c2fc33262ca143952dd

SHA256
cad841b8313e0f42eedc67c77b2e7e9df9952e40d2676aaf53c7f06e17741260

SHA512
f2d6acc9eae741259442854ebb9031840159b9b45d4bea208ba00bf722c8a77ad6e16e9c840e2d12d889195ff90a602f3f51ce3b5334da5bc666580a9c6861ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
6ba2b707a581dee41326edd9a6911474

SHA1
d32c09d7716927a7f6ed9ad94815401b3c2bb4f3

SHA256
0df3e2af4a85a95e4ddfa28d698681ca464da87fd83aea4129337c85496193ea

SHA512
b9e91f5883eefca3cf80bce0c9aa228124bb83d02dc54470eea585ee12863ad3065b1341042942779d64220909d9857d44c0e13a5c8eebf1f9d06f3573f0969d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
92b99358d30cfe4c3948f413d3e4409c

SHA1
a54042ac352d8fd8ded25ebb249d03313525effa

SHA256
1ec90c09562ebd7903cdcca5f95169a0d917339af0d58940307361f59ff56259

SHA512
9e7d20055c293b2eb5d92d262a4bd043efd22f16c3464e8b3fb2c64fa3ec0f10813f25e41906995a4f8c76c9c907762aed0f4e21ef83608fea2f766e3bbc1df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c191ed2ef583e42a7efe02c601033265

SHA1
c47e842fde1937b440acdf74949c33de8f1d2e3a

SHA256
eac4fd03e814936199296cf916431e82fb06f86975d588c0081439548fc6171e

SHA512
0638042063dd081774d93a9fa068f43dcd225ef672ace38751ac16e8d6e48017c482880486b8a706b623fed197da69650028650885176fe0c83f306506ef4683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e5721d78614fdd3f31b537fce760bc17

SHA1
92f8e0c114d7d2307a010b7359a549795e6f468b

SHA256
3eb74ba38305cd96ec885475df6f40dfe8b86038cfbb9f85c0e9a6fa7e2614aa

SHA512
f54e798928094191c340e7c36d205f836732a36228e0c58a1530f5ffa03a9a79c32f72370f368bc7c4a33994a688c2d57c5ea991ea1735ce4046932cd1510eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
31c31cf544967acd11253aed2c6753c5

SHA1
c73bb19e3cbddb7997c18ecaf793146846738559

SHA256
daf5f4954ce1f796bf18783c5c2bda146860c821481f306f7dc63cd1acde2cb9

SHA512
533d557b4903df4d9a73e6ea7a0c9afacd58b71f506e96d4acb6819ed6dc89f5ddb279fccaac525d0740fe0b38e2877bf011ddb612bd296cb0d987c3962270e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
78d15b96f5dd3272a99352695048e2e8

SHA1
a57db3c6c0ae8c9d965b7cfead9a0a97de14d120

SHA256
0e4456efd42e8590d895af04fceed2fb0362d66572e7d9cedeeafd91b4f19c33

SHA512
5e67b3cdfcbaed9cd290d464d299d90ba991d36a0cdec203e1a5f45ccb768b7a3f90a081a784c7f54286e7ce3932f421440345ccd24e97bdaf37904e8a0f9b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2c3dba691f90ee4be23d2ae6ff66adb6

SHA1
3637072475091c82d7f5e42f40731a022a851b70

SHA256
8f79073ad9388b7ca2e799379b939b1cf21ad8261dccfac7aff439efc337151e

SHA512
02aca8cf5998c1cf90ce13c5e96d554f5ee10f0314683a3f67512831c525dfb7e43921386feffaaedec53be8085b48a89d88678456045cb9fa3967c382848812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
36c9f00b552cca7f5c64babcbe8b0ece

SHA1
5116945017419c6109c9bb143bc8912ea31086b9

SHA256
489314b79df1259348046e16a413b524b9a7bad5e275d93b2aeaaf0e3cf2a067

SHA512
7694ffdb05717d06d41b1869969ccb0dab7f225d1148575e210e293b0267a5dfcc3a60dff3c3b50008815e2cd576067e4c3d333a1f22a127f2013d01ffcb7b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6767499a196dd41c8f36c35abb53443a

SHA1
9c31d59185a368f3c6ffcea27b5f6820533d4e1a

SHA256
4278671952fef34e4aa9344d7b3941bee7763eb4b8bf0df7acb1a91bb40c4376

SHA512
63dd268992d19af90d1e2926140139e670c59921a8d9b4fb97005cd4aa86e45e6c36b3602436dd64efc08bc60bc6928a2ff1ba9815c7aae4763b090335892eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f99f1e42f152cafe2f172223b4e167bf

SHA1
8cfa5428f4b74363042934443d4315941df328e5

SHA256
8db6bb488a5fe609307e2f685e2d967ea04bbe0bcffdb3ae3ff8c114a2213942

SHA512
579393b666fd22a94c4d745b0db62c5e5656d28c6917ed546ec9993e71bcf655d323b03466488b996690200edd1e1280b7ffe2b046ba37c06f39c1889a864f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e3194b0c2536496b69f3f327921180c0

SHA1
c36e58e340f58c40318813512f7d24d8367741e0

SHA256
73f8ddc92e5dd0835edf6baa15e8d2cd09323f0f99d49033b332926813aa9563

SHA512
923e8f6f3880b92452d93eda7622630aea2e289a2a5bc6d2cc29f0c4fa02e8ddb2a3c664d5ab50829b2db69fb49f2030bae99e1cf23c5c8abc3a435c98e2f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ed9c406f07030311d4da7b8b3345c91c

SHA1
ccc296fc91b25d3c03cb61019b8f4b0674f1525d

SHA256
411f961769c548e03f77ea3b50b9360d213567695e6a79bbd429ac07e0497807

SHA512
6b49bd84cba3bcb2da33de2e6466f0f5c4cd4e74de165e50e1b0b9c7f064a842d7e98530e9fccc58c90832151213b2e82d5444910a84de321ae7a58e64e346a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b4af13e4560250391ff92892dd2f3425

SHA1
4cc15725ec35d2829e705f04c26a86b9dbbed08c

SHA256
7ae1659080a98b173a195a6175880f7f4654f62e3ac79dd01cf1994757b532a6

SHA512
e50f60e4455cfeab8c7b5b17d3db52849fb5be3f522fc5dcef88e403bb7258e8770803bfd1147c09aec4d426eb9007cce1859795dddad504131240d5388a2637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1a00ebd0373520ef7d5bf28fd3d93d13

SHA1
081d48588f3f7cfe661eae34ec1099efdbbdce47

SHA256
9e869a32a203566750abdc469297cbebb77aa1f75c3ebabd4b953417baab7f4d

SHA512
6c444b954c9b38a6b46df2b87db530751e0179e84445cea2a793992e4d76b055bec7b3a541d12df31fc40306fcc79f02df377ea7e163984f804a227da0219e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
88b69bd1788ac524f738cc9039f68799

SHA1
dde37da2d9111feb2e1508571297027b6698d0be

SHA256
01b03654f2f5eb0c353cc9161854b4f2bbe26ce5a7aafe58a31b321df5f9beca

SHA512
c3b311bc4e20dc143c36345b840f2a977dfda652f021ce8268cd220d5252016379d3432b75d531159c1504c184ab3bef904487513f8a8dc488857565b3496a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
32b06fe2d3016579f99e1dd5b36ac269

SHA1
08ce6a8b3ebddfe8b98bbb4affef756cc63c9361

SHA256
2d5ac231d690d9b9376d0fc295e3eac7990e712fc9c0cf0e488471d29eda7f5b

SHA512
eaab02c843fdf73fb7b5ce66033ee9bb1cb65ea0aff894b0482148aac1613c16125f5b908fcced27b471ce918e0e49e7f07f45583569f647bcb2e3448c7fa169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c2971c159abb31d2a4598af149896164

SHA1
85d928ea5bf614918b706ea72d43bc3379c17122

SHA256
9821623a66da2aecc39d3b2511d219f9b172a900e6bdd972d42e2a358fb95171

SHA512
ce3e7b645b8c14c08d41fe4f81805a6d1dbadb785499b15666669fc8d0c5fd5870131f701fc426719af16bc2c238bee212cc4fc746cd925496e67f4f37cad666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
925B

MD5
2981ccd65084bcbd2c749d4e581bf934

SHA1
63ef22b8aacb9e34862db88d2a658ca672e7f1a5

SHA256
5cbf2cf0d9d6c1cc16cc7cefc047faf4967261c1e29134b260490d911d4b1a02

SHA512
9f59eb1c38fdfda69f5dffb524521e12258181ccaf17d3e995a617514bb627ad26a1d3e9a491a089ecae78e58331d19be19de6fa7321757d94638400e5abab9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
7b1e91961c8631058ba0799de4e4466c

SHA1
03925fed3c87af712c3bbcbc07e6a57cf713c88f

SHA256
5f98cb628dca0509bf04bfb93e71c359f276a42e62a1c8d7bcc7b8f8ea91a4b3

SHA512
a01eec00472f88a27347f954b38607ec451260e909c3ed3675b6d875ab13ace5b21dfcc91619da44bf9bf204929de9fc107dc037c6fede8deed1c36e4ceb6670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369762353386726

Filesize
56KB

MD5
3087828b4baba47fed807c872eb3a5dc

SHA1
7e04f7efebc1b284158b29ef8071085308173344

SHA256
5d72896ff515d862ebbc7d3fb1950689980083520681fb84f9b575be816c76c3

SHA512
39f916b9c197fb401ff728a9ad9d27d0fccfcfc8da62cef5beea55cd1c0c867445526da2b354153b56bb1db185e6f413dc1463ea7d130cc1c1557466a60bbe65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
116B

MD5
f6647726f0993e41b801b157d884e579

SHA1
14483683927f6a7f5d5274ad1efab7d331fcb90e

SHA256
badc131c5664bfda1cfe05d77d0ba18725088a49c9820df3e66229580a1f12dc

SHA512
1e0b4f7ce3aa7738a39973fb75e27d3cce8f2a835f00ce01487e582e282f543be65e76a80440b7774ef296a841f3ecff605c5c8fe35d272cee89d715be8d5af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
77d741ba9c0ee425279831de0d1bbd99

SHA1
a1b0f16707e041c3d57dfd717074f6e1141c05b2

SHA256
bca22fb3c7d469e8bb668b434c546578e76cdc82e94962aaff1fe5679b5f0b96

SHA512
b7acdd07142d9e362dbe213a128daf6cd4e438d3c0d4a19be038123cef786747122f93e1f75b8bf7c25e9eb4e60ee2f15ddf871f6ddc9a6c9dc86f3b68a653b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
25bf21281a7488fd292b920529a05596

SHA1
61919af5627106c41ff0de8273b21350580737d8

SHA256
1896b63711444f2f4a5db04193411496fe05a6253cd7bfb6c403ce7f7e6a97cd

SHA512
3131cca8eb6987bee9d7e3dafd53b13ffffddafda74e066b572b79ea5a3140fe72434176036bc4c7d2f74d7a2034619ec042f90eae83e1d421036006aa50ce67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
90024c7d61e71949e7d50a798ec32275

SHA1
497776553546c288a871be0a65e4c999931389b4

SHA256
11c37d3e8a09c15c418f1c24a4571db00d0d513e37de2a6593086742df41dd2c

SHA512
af234f45d2621c6c28777cf7b294d6b37036dd2f2fa251da8eebff26583e3d49a3c5c0196397823e9e6c012027e90c4cc1e9f86a0ce1cfdd60b99de84e45b472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
e950c1eab3c0dcaea018384563b25279

SHA1
57dc596fae4df4c6c66d85f30b0dab7520401718

SHA256
4e288ef1a1f9bb7bc42e2b7b59f7b8d7a91e2de9d8bf5e84e8e27d4a4ecd6248

SHA512
dcdccc08cfdf9c5f255f2252eb07006a687db20251d13c8a6049f400de31d7f0df5bc66f47ce743ac6b029b826d94703e4cb67718da0564c93e757e7c9e8522f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
c00c3d79dba0b079a36fcbf087c8820e

SHA1
4d2c4535fc584e07a570fba3408926a98a92930b

SHA256
9a5929ad3f90deb9e7db580864b603a913d51bb583f3fd025e0ad5914e74c637

SHA512
0df739ad6675b7ba2cd6387fc58ecf57590a69ddff7e453cc08636c1603f669b96652c26224263715041994af9096d92e6174defee080ee37a54789a41fddd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
8682db6b5b7c43282dcf3617301e5e4f

SHA1
a6d53158c1b35196a54efcef51e95fcd2f824fca

SHA256
9d67c53ab25315d7a5b88a3c0fc6ac2962a32ac4576d14c6b49fafe4386ae0a6

SHA512
cb2cd343096f87a9b92246e2d1d11eebf244a1cfdb726cc4fda810d9318328a8e81d9a87bd3292e0cc6b2e60f20a7d8abffc2ec372fa85bd3233acd5604d2a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b17.TMP

Filesize
1KB

MD5
718386148132a68a220a54aed59489c0

SHA1
72cfa20636228c1463e03a761ad0022e4ee74e7b

SHA256
758cf917edc68088741004e641b4e02ec7ef277a2adb9d9285fa8de2ab61c9d7

SHA512
78327bbd23992c119f83e39c2da9c5ae1837bec04a12d65bcc33c17f676f7d944a2d9305f98fd5f0b6a3a137792434a3026098d81d5465112a9c22f64da8f9bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
440c41ea06aa67e792ebb85547e7c475

SHA1
dece5314ea1e43808030609269b42f203990cd75

SHA256
7fbadf6e25033c35d2e24829c5fe9f1d0f8bdbe5d28be0977bfa951db894fe17

SHA512
152196001525eaa527d71d06f2af271b281ee81edcb659f60705402e807f3c866d42b411ec839e2112e3adc39011f5fcd98651ebd32c247a39a7052e99e32a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe57af6a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
2.0MB

MD5
ddd5486ceaf9b37d7f746d4544be1fbe

SHA1
c7c40158d85d483ed2b7d89d0c28e4612627b8c8

SHA256
95acaa067b9ae4935c258adb6549e6c3dab49a6d1cd237ab0634340534802ab3

SHA512
029e5e9196b325001d2115b206c5f999a363b92908cee57aef381dde8d8ce1bc1d5beb34ea3db8e3d82867e2eb531410a01836e6ee0484b583b1dd480714f485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
10KB

MD5
41dd9b99c1222807e991915bde1025c9

SHA1
cb69eafbec63985f46d1be8fb5318e031b0848f6

SHA256
0bf68b9e305115e9dc3cb411ea65eb6dcdd782fd8df62b269fb5cdd4af02c6bb

SHA512
bb12cb106789936a7aa9d9398ef821fc6e642a9a21b75963bd803538691092181fe7669bd3182aee7ad4589acf3fc7be9d5675188b8d926c98ddfe5dd2f8cdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
85feca7c6f874f85fcc985b115b5f800

SHA1
5fca7a6287da7426884bae8301ae74c52ce1b8ca

SHA256
067b604c41788954af618ad964fbb359decdad73f9c87c2a003bf65af6ffb316

SHA512
5569c5244e4fa3c2096372d8c8ced535e36de66569947621649d1e0a0fb8f73ec5eb563023d00933c76fb13f0d57b65de6e56d8ca43991f041f5af43e9361a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
78a7015689f6217a3dd9c8296ce98410

SHA1
f7876548c8ae2ecb128a9fc4be79b87c74e061b4

SHA256
1a406a4f396fb4b42aa048652a0a8eda8bee8c6f50f28374faa0d0c334740a60

SHA512
dab462742d59a0c819e76730d7140a99525150e8bac8eaa960c091a4658ea8fa73dfe49f8f923b25870a9e6512c9fb0d0b08c1f1c4c62c0298be09428608e138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
fce9c9bf1dd943c6744e0628e6b82e4f

SHA1
e7fd88bbce5d8382877278d5e0fcd534d42e3c01

SHA256
13c65ce2f1c6ce67eaaf71688ff3fc307fe19e415f03902819c1bc4664257482

SHA512
6971e27545d4fd688f1362267196704633a786ac1a804cc26d743caaad210183bc0bfb9ace6b605b21f94ba67fca82909d839949c6ce91e33636581e43af058a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
1cb59a557c301af9ce1dfedd54904df8

SHA1
ecda39bb33a3ed9e86f8d8062d6a20d97bedd4b3

SHA256
58e875885850a361dcd0fe9f0d2b4b5fb48fe025de5e855f7026ac7c29bd7814

SHA512
beae5c4867a1e40477063d68788636c09bde165f2dd965e4bd5e1d9df2cf607d5726a0f1d25fd66cf000e5b2522d9d67970d79e8c018c89775565cdf92be7631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1b280cffd3d8b01ed86b34fc4360c468

SHA1
6f0c6d71093bc87fea2da8b2685ac87a241bb4fc

SHA256
7126b7d7b30d067a1dd315220b8d8d9adaa799e1e012d6ca56171cd9c793d33c

SHA512
4db97481a46deba54aac4e74d95860836374d36e0be8a652e65f0276683f9fb3d7fc9b557b9c20e56e5f9a3b60056e31d5661916736bc47df81a26aa05883621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
21452ec8281788992d6807b586354aca

SHA1
2d727d137fd235bc5f49ea6cbd46aeaf5a8697ef

SHA256
91adb580cd62d9d3c10fefdee89f79cef52036e619beadb3af5894f2830131b0

SHA512
1af9c9fb760515a67a7bcd50c05b4491a7f87a3ab5d4ae9c10c5c1538394a1b07320b75b18cf5127ff51ff7a0a698db3f6e3c6bd4797596aeafd5818af690943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d83cc1cf2cd85d26d1d5e052cb9e50a3

SHA1
fa9a33b3d56abae5de3deeedd74295209cdbcc4d

SHA256
c0e1a9564275757a0f1e97f013177beb224c9469b34fd1e6f7a1c726df6966ec

SHA512
cc2d03bb05326c8c42ec32595e2a4f60ec47950ba2eb94400b793400c23cf91d82a207663802edf733c8292650e0f8c55353042bf3b0d5b4873a04f7613c48a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d3631b54eb322bf8b5788524ae0ca52

SHA1
a12503fb699a39a2ed0ebe93270017384968aceb

SHA256
270545fabe0f29c64f087e6fd772989eb2942729b31b1972b789b0a7c091cda6

SHA512
9ba17fccd91935e8324c2463c2d79585ab3e3cb93eb0c2f506d4897fd09749ea311374cf5c0c1f4d97ac6b97fac9524aa1ec8055f7a4175a8cf5ccbe02d93cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
89db01e37bbe3297646762464bd3aa70

SHA1
7a27772f1effbd808f17a885ac2af33218af73d9

SHA256
26046b330f195973b4613b01453971fb6606566978d8fee623244c81d71e3433

SHA512
a384155c333634d2d76ccdd14849205a5154ed923f4f0b9905e4dbe75330db492e8b0763b48930dfda323487ab5d71482386349f7fba3aabd6ddbd221a8d320b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
adf3a82b4a958577a89321961bacb197

SHA1
687d8029a2d3322c3e0b8ba63a3f99ca1388d64d

SHA256
63b77c7c4debf283176820436d55259c9cf21573ee944076a61be6fd43e41c62

SHA512
888c37c3d8c96efb921305d82dd8de9cdef51c924208f4ad17ca978c7ca6c0da7e0112395a7fb98c90a171ca26e861940a3d2684714776a993f2fec94c70832b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ce00bfca7d0aeb1c2837c68d10704c4a

SHA1
9f9a679cd7d16988040ad0740f0aea61c8a226c8

SHA256
a08f009c7bdc8966440ab2bea888d2b3c33e16d5c16cc75d7740a29427fbbcbb

SHA512
864ed9dd7359a29bd5375194a4d3d53bdb9f27f3859a60283dc560f9cd3c82e8a92d4d50e268425ccedda4cdf28a66a5db3dfe4e59aa1f28c61f48a3c934dcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
116c373a3aaef3fe320786d8e29890e4

SHA1
aa888ec61174ab090394442d986efde7ee076b97

SHA256
cfd63913f303730111a149a42df7fa6a69ca4ee73e64a300217d0eaa54bf9646

SHA512
8686bd66e0bdf6368c99a57604d807062140f19670749a4f4f9cfc8ee990975c7db4255bd90687ded102015d36e411af38c09b036c0060c594bcc88c51310989

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
78B

MD5
fc3b0a20f14926ab145493e38db27c48

SHA1
238c836ef08f215690d02b703af9996077a1d11a

SHA256
d20d1af1fa9e13e63c5bf1336387d19a4bd504a211e8866d26015b8e4e4a594d

SHA512
a4c343ce5dc2ea2bd4e2f6214d5ba5d2d948782c6f66c23083d9dbe392e675ad391dd67eecb74a8b9d9c1855b4ae51c2cc29e0208b33e10ffe68f8f8ba0ddc95

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.bA5440

Filesize
77B

MD5
2e1e0dfd47c5935b0bfa75bd614a2ca0

SHA1
1db7e0e297eeb60fcfd04dc55b61aaf06731588b

SHA256
cce609f6212847218d98fa18d7fc7d9cf20fccbd1a9373ae3d17b8e3db7161b7

SHA512
f09683de87e5ad22044987c5dfca5183ad754cd3a9c4be3924a4c27cb3ee20d4ce6e0e941feda1dda3f717e0985e8b8054057776726782fe391fb8dc87825dc3

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
85dd7f56b10da910927be80b8e77146f

SHA1
baa494ec6f10b488c78f7e10da27870b6dbc81ca

SHA256
282dacd8ca9e4792429541ac8117b28ad788c52a479bde68792a15b927452d3f

SHA512
22f15aa17fe1663ba91bffbb0286508744542457a42990cef0938245a5993244e2369f90ccdf70dd1da03aa1ae213083643bde4029104ff4d95c546f0372aaea

Download Submit
C:\Users\Admin\Downloads\media_images_ptakwspodniach (1).jpg.crdownload

Filesize
46KB

MD5
9987455160273726f5894678429d5abe

SHA1
5291675ba62eb06953ea2543d139eb8d8ba1dd4f

SHA256
1480e09300dde94453bbf45950edbd2bcee237629c59c4930ae3dffa675ca75b

SHA512
75086a0cd7c6768c1a004871ce73e2da80a4b8b55134a881729b81067610e5fc61b5db5d9f4c1840a55f7fa74a782a8d3e33df10cb37c3d50eb6d6a560e1ae1d

Download Submit
C:\Users\Admin\Downloads\media_images_ptoszek (1).jpg.crdownload

Filesize
27KB

MD5
9e4b1b3e7c52e090c8e70df1a98bad85

SHA1
f4367b1f35b1032f0f1112e7af4c016a52a033bf

SHA256
2bf3b01afc66b991275909dae575ed1185ac3356d537844fd4f0cd9a1804fb97

SHA512
753dc9f3329b8630baa22b0a513e5d659b2c9ed0ecd62894527dc37c03ef688f27368bc342766b6aae10755d11277c466e409b5a677428779df89b0f1db68e5b

Download Submit
C:\Users\Admin\Downloads\media_images_zlyptok (1).jpeg.crdownload

Filesize
8KB

MD5
abcd67add008164a9e8a6fdda7c44110

SHA1
9dd2e268b07b080a6c18df73d5313e4b8ca1ef0e

SHA256
f31abee6629248b05f89c5b8d40f3180f207c0b5263a1dccdbcb5a9b65f27a8f

SHA512
d3d55e8cbd198bd3c5c7d76e47774aaa347413ddae78e1f17cfccb2c99ce6ce1392a9747b551d526fe272a12ba6c7a5819d6edb5df9f7c3643bcc0cc70e1c23c

Download Submit
memory/436-1188-0x00007FF72EDE0000-0x00007FF72EE47000-memory.dmp

Filesize
412KB

Download
memory/3064-1189-0x00007FF72EDE0000-0x00007FF72EE47000-memory.dmp

Filesize
412KB

Download
memory/5440-1182-0x00007FF6CBCA0000-0x00007FF6CBD98000-memory.dmp

Filesize
992KB

Download
memory/5440-1183-0x00007FFF73850000-0x00007FFF73884000-memory.dmp

Filesize
208KB

Download
memory/5440-1185-0x00007FFF5B240000-0x00007FFF5B34E000-memory.dmp

Filesize
1.1MB

Download
memory/5440-1184-0x00007FFF5BA60000-0x00007FFF5BD16000-memory.dmp

Filesize
2.7MB

Download
memory/6124-1192-0x00007FF72EDE0000-0x00007FF72EE47000-memory.dmp

Filesize
412KB

Download