28cc656312bcd6d8e07969007caeb7a550e8e40ae8c0dfe20609f5d04301cfb0

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe
Size

68KB
MD5

d64dedce2f9ce71a0c5d5c234fb943d4
SHA1

624df9c273d26d348d18da16791530d1229e58a6
SHA256

28cc656312bcd6d8e07969007caeb7a550e8e40ae8c0dfe20609f5d04301cfb0
SHA512

24cfde2403c7119123d6f6aac32c0d898beb4f5eaa7164815335823eae738d2fb67a9e115e9da90ca2df8020331c8b584ab6227dcd8a1bde29f99ce40b38dd89
SSDEEP

384:ojQTC55+M7eSqtIWA4rL8pWqAR+suhNryatM3o3L/poWo:1TCH+M7extIWACLDqARGTmm

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MsnMessenger = "C:\\Windows\\System32\\Msn.bat"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ShellWin.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ShellWin.bat	cmd.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5072	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
7260	msedge.exe
7260	msedge.exe
6752	msedge.exe
6752	msedge.exe
8168	msedge.exe
8168	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
5360	Process not Found
5604	Process not Found
5404	Process not Found
5408	Process not Found
5412	Process not Found
5520	Process not Found
5524	Process not Found
5424	Process not Found
5532	Process not Found
5432	Process not Found
5540	Process not Found
5544	Process not Found
5444	Process not Found
5552	Process not Found
5452	Process not Found
5564	Process not Found
5568	Process not Found
5572	Process not Found
5608	Process not Found
5612	Process not Found
18804	Process not Found
7604	Process not Found
1996	Process not Found
12168	Process not Found
1252	Process not Found
4984	Process not Found
1980	Process not Found
4840	Process not Found
4856	Process not Found
7624	Process not Found
7652	Process not Found
18348	Process not Found
19048	Process not Found
4208	Process not Found
7716	Process not Found
18272	Process not Found
2892	Process not Found
18928	Process not Found
18036	Process not Found
792	Process not Found
800	Process not Found
772	Process not Found
2660	Process not Found
8304	Process not Found
612	Process not Found
2636	Process not Found
3172	Process not Found
3972	Process not Found
3924	Process not Found
4584	Process not Found
4864	Process not Found
2332	Process not Found
3360	Process not Found
2804	Process not Found
18880	Process not Found
2712	Process not Found
7420	Process not Found
400	Process not Found
3184	Process not Found
4016	Process not Found
2100	Process not Found
4136	Process not Found
4160	Process not Found
4168	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	7420	dwm.exe
Token: SeChangeNotifyPrivilege	7420	dwm.exe
Token: 33	7420	dwm.exe
Token: SeIncBasePriorityPrivilege	7420	dwm.exe
Token: SeCreateGlobalPrivilege	17540	dwm.exe
Token: SeChangeNotifyPrivilege	17540	dwm.exe
Token: 33	17540	dwm.exe
Token: SeIncBasePriorityPrivilege	17540	dwm.exe
Token: SeCreateGlobalPrivilege	18824	dwm.exe
Token: SeChangeNotifyPrivilege	18824	dwm.exe
Token: 33	18824	dwm.exe
Token: SeIncBasePriorityPrivilege	18824	dwm.exe
Token: SeCreateGlobalPrivilege	3336	dwm.exe
Token: SeChangeNotifyPrivilege	3336	dwm.exe
Token: 33	3336	dwm.exe
Token: SeIncBasePriorityPrivilege	3336	dwm.exe
Token: SeCreateGlobalPrivilege	18252	dwm.exe
Token: SeChangeNotifyPrivilege	18252	dwm.exe
Token: 33	18252	dwm.exe
Token: SeIncBasePriorityPrivilege	18252	dwm.exe
Token: SeCreateGlobalPrivilege	4208	dwm.exe
Token: SeChangeNotifyPrivilege	4208	dwm.exe
Token: 33	4208	dwm.exe
Token: SeIncBasePriorityPrivilege	4208	dwm.exe
Token: SeCreateGlobalPrivilege	19052	dwm.exe
Token: SeChangeNotifyPrivilege	19052	dwm.exe
Token: 33	19052	dwm.exe
Token: SeIncBasePriorityPrivilege	19052	dwm.exe
Token: SeCreateGlobalPrivilege	18036	dwm.exe
Token: SeChangeNotifyPrivilege	18036	dwm.exe
Token: 33	18036	dwm.exe
Token: SeIncBasePriorityPrivilege	18036	dwm.exe
Token: 33	10888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	10888	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe
6752	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3800	2408	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	87
PID 2408 wrote to memory of 3800	2408	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	87
PID 2408 wrote to memory of 3800	2408	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	87
PID 3800 wrote to memory of 5072	3800	cmd.exe	89
PID 3800 wrote to memory of 5072	3800	cmd.exe	89
PID 3800 wrote to memory of 5072	3800	cmd.exe	89
PID 3800 wrote to memory of 5084	3800	cmd.exe	90
PID 3800 wrote to memory of 5084	3800	cmd.exe	90
PID 3800 wrote to memory of 5084	3800	cmd.exe	90
PID 3800 wrote to memory of 3804	3800	cmd.exe	92
PID 3800 wrote to memory of 3804	3800	cmd.exe	92
PID 3800 wrote to memory of 3804	3800	cmd.exe	92
PID 3800 wrote to memory of 4696	3800	cmd.exe	93
PID 3800 wrote to memory of 4696	3800	cmd.exe	93
PID 3800 wrote to memory of 4696	3800	cmd.exe	93
PID 3800 wrote to memory of 1928	3800	cmd.exe	94
PID 3800 wrote to memory of 1928	3800	cmd.exe	94
PID 3800 wrote to memory of 1928	3800	cmd.exe	94
PID 3800 wrote to memory of 3668	3800	cmd.exe	95
PID 3800 wrote to memory of 3668	3800	cmd.exe	95
PID 3800 wrote to memory of 3668	3800	cmd.exe	95
PID 3800 wrote to memory of 2664	3800	cmd.exe	96
PID 3800 wrote to memory of 2664	3800	cmd.exe	96
PID 3800 wrote to memory of 2664	3800	cmd.exe	96
PID 3800 wrote to memory of 3120	3800	cmd.exe	97
PID 3800 wrote to memory of 3120	3800	cmd.exe	97
PID 3800 wrote to memory of 3120	3800	cmd.exe	97
PID 3800 wrote to memory of 2260	3800	cmd.exe	98
PID 3800 wrote to memory of 2260	3800	cmd.exe	98
PID 3800 wrote to memory of 2260	3800	cmd.exe	98
PID 3800 wrote to memory of 1416	3800	cmd.exe	99
PID 3800 wrote to memory of 1416	3800	cmd.exe	99
PID 3800 wrote to memory of 1416	3800	cmd.exe	99
PID 3800 wrote to memory of 744	3800	cmd.exe	100
PID 3800 wrote to memory of 744	3800	cmd.exe	100
PID 3800 wrote to memory of 744	3800	cmd.exe	100
PID 3800 wrote to memory of 948	3800	cmd.exe	101
PID 3800 wrote to memory of 948	3800	cmd.exe	101
PID 3800 wrote to memory of 948	3800	cmd.exe	101
PID 3800 wrote to memory of 628	3800	cmd.exe	102
PID 3800 wrote to memory of 628	3800	cmd.exe	102
PID 3800 wrote to memory of 628	3800	cmd.exe	102
PID 3800 wrote to memory of 4000	3800	cmd.exe	103
PID 3800 wrote to memory of 4000	3800	cmd.exe	103
PID 3800 wrote to memory of 4000	3800	cmd.exe	103
PID 3800 wrote to memory of 1568	3800	cmd.exe	104
PID 3800 wrote to memory of 1568	3800	cmd.exe	104
PID 3800 wrote to memory of 1568	3800	cmd.exe	104
PID 3800 wrote to memory of 2436	3800	cmd.exe	105
PID 3800 wrote to memory of 2436	3800	cmd.exe	105
PID 3800 wrote to memory of 2436	3800	cmd.exe	105
PID 3800 wrote to memory of 748	3800	cmd.exe	106
PID 3800 wrote to memory of 748	3800	cmd.exe	106
PID 3800 wrote to memory of 748	3800	cmd.exe	106
PID 3800 wrote to memory of 1360	3800	cmd.exe	107
PID 3800 wrote to memory of 1360	3800	cmd.exe	107
PID 3800 wrote to memory of 1360	3800	cmd.exe	107
PID 3800 wrote to memory of 1660	3800	cmd.exe	108
PID 3800 wrote to memory of 1660	3800	cmd.exe	108
PID 3800 wrote to memory of 1660	3800	cmd.exe	108
PID 3800 wrote to memory of 224	3800	cmd.exe	109
PID 3800 wrote to memory of 224	3800	cmd.exe	109
PID 3800 wrote to memory of 224	3800	cmd.exe	109
PID 3800 wrote to memory of 2816	3800	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2E1\batfile.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MsnMessenger" /t REG_SZ /d C:\Windows\System32\Msn.bat
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5072
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:744
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:628
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4000
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:748
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:928
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:512
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:616
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:884
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3788
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.soygay.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:6828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:7252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:7260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
      4⤵
      PID:7276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:7452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:7460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
      4⤵
      PID:7816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
      4⤵
      PID:7984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
      4⤵
      PID:7212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
      4⤵
      PID:7468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:8256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:8288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
      4⤵
      PID:9072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
      4⤵
      PID:9360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
      4⤵
      PID:9368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
      4⤵
      PID:9552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
      4⤵
      PID:9628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
      4⤵
      PID:9828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
      4⤵
      PID:10104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
      4⤵
      PID:10156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7911524191375235010,452994083024667586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
      4⤵
      PID:10892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.petardas.com/
    3⤵
    PID:6872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:6892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9487953187296636182,10932465649119771914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 /prefetch:3
      4⤵
      PID:7696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.amo-a-raki0n.tk/
    3⤵
    PID:7072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:7116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,15468841429344732573,14875176406759239069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:8156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,15468841429344732573,14875176406759239069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cph-manda.com/
    3⤵
    PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:6364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.soy-lammer.com/
    3⤵
    PID:8096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:8152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K start notepad.exe
    3⤵
    PID:8200
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      PID:8812
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8228
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8276
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8576
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8632
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8640
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8648
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8720
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8804
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8932
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8956
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8992
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9036
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9092
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9120
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9128
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9196
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9204
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9212
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8240
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:7616
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8520
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7444
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8880
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9244
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.me-meto-virus.com/
    3⤵
    PID:9336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:9352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.yo.soygay.com/
    3⤵
    PID:9544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:9568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.es/
    3⤵
    PID:9720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:9732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.guardiacivil.org/
    3⤵
    PID:9776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9cc8546f8,0x7ff9cc854708,0x7ff9cc854718
      4⤵
      PID:9804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:9820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:9844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:9940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:9728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16820
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16860
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:16868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16876
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16892
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:16916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16924
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:16940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16948
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16964
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:16972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:16980
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:16996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:17004
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:17012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8532

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7420

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:17540

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:18824

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:18252

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:19052

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:18036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:10888

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4920

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2776

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2924

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:19036

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:7952

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:5288

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
PID:11016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
068256b278f0482c7fdc2a4419ecb771

SHA1
d2bd216df7c8791e19322c97783332b4a506dc78

SHA256
bbc3e1389b168639dc74c71368e9008a9a0f22ec4bd6cdaac531d6d41fda5d07

SHA512
6fa3bffe360ea3472c459190df68c953304661f96b343a31c8eabbfd543fb6d50523d820e09d67dc6d3c78e81ccb8cce682db414de574c1a7d60cc65d70507dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
41706f62fb67cd72a731758468708843

SHA1
627dd88b76637b83f5b284f476d11bb5046a5142

SHA256
4f0d8d6c5b5fb94796e63accb78c3955c23bda4608170920fd401a91bb806c30

SHA512
7970f4918728ddba012e694e266b8144ff0cd95bc8c382986b89331b30b3714e319ecb101e42005cfdf76c442e385a5e9cbf34c6d8b017f7bea418b35b6c5c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3b3735a1200ed454b7430501af56cf88

SHA1
c2e061987ae94972c9bf3d5d4f07781aa7456b84

SHA256
7448ecb31f423ff53badbcdecfcc0c32a3e01e7e619ba7cdbf0d47a6c94ce195

SHA512
ea1cf29610dfcfc65cf3067c1635594500fe44fa6d02c8f0b9a4d6036e947c226973064335e11151a46710954aea0f85e5a58ab46560285ddb02d93a8b5440bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e931b3da26c12b6f0ba0be1155fd89e

SHA1
c4e82aac15b391e2c3ef044c0669c5067c1cc8fa

SHA256
ce154d5d7ddbda98cf728cb65d1ffdfc94617de223b8f17dfc7d855f1326c35e

SHA512
d72bbd5ce937b06dff128c3ff379b3bdd54b858f8c6390dd8adbf97a83484e97522326bb65626fb66a62fe010ddefbebdf434da09a84b68dd080d9fae11e2ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e8b91848-7812-4093-9618-923f7a45eab3.tmp

Filesize
8KB

MD5
c274730c59ff23f0c80f1424646f7de5

SHA1
902ca94442849287b89874324628701dd15261ac

SHA256
8ca5c3337e5cb5f51043b220059934f62dfdbd08cea74d86e4497dc93d6a0673

SHA512
c9ea07af007706551610966e31ebebb9d5edf225e9415d360a7a5f8d51e5664caeaaf8c83afd309e49c9d70746570b8fcfc29c6f9eb7c7a572e40d95665f9bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E1\batfile.bat

Filesize
48KB

MD5
eaf5ac7432975a30acc52869af03b8fc

SHA1
e72abde35fb94247ef276c0a8e064527465c57d5

SHA256
3e96edde8cacf1ebd98e965b1c64aae24662801491fd45b6370bb272ff84a1dd

SHA512
909683c38860bb2391b1b0e52326b8c96739b2432130a30748b6e4de79c64c6c939681c605b05d6132b18538fbf2b15b58361f14f3549a23f0b73ce4a13938d4

Download Submit
memory/2408-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download