c86a0c40766cc80e1c67f8ae7e52881696c19b0fdceb2cb8ccad62aeefe7389b

Analysis

max time kernel
71s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe
Size

166KB
MD5

edbbc1e26a160aa198267064c3f6be97
SHA1

a6f44fd2b0e1f93e8c8d333f73cbe683ed0d9325
SHA256

c86a0c40766cc80e1c67f8ae7e52881696c19b0fdceb2cb8ccad62aeefe7389b
SHA512

9c177cbc32c4b001f12c654c3878404c32b83d2826f6cafa08622f592f5a0b4d1cf4cb0c25e045c5795749d04606a6dcbe07fa119cc37c7eaf9835c665067a35
SSDEEP

3072:b1/hccvQOwOPRuxc3eagQbBxGAPWP98t6Bn2VfPvrV0p7jOEaX:hhcXWZHBPWPLB2RPvrV0e7X

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	filesystem.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
3788	filesystem.exe
4432	filesystem.exe
4084	filesystem.exe
2740	filesystem.exe
2264	filesystem.exe
2516	filesystem.exe
2348	filesystem.exe
3956	filesystem.exe
4644	filesystem.exe
3700	filesystem.exe
5020	filesystem.exe
4448	filesystem.exe
2036	filesystem.exe
4860	filesystem.exe
4312	filesystem.exe
3328	filesystem.exe
3260	filesystem.exe
4240	filesystem.exe
808	filesystem.exe
3240	filesystem.exe
3788	filesystem.exe
4544	filesystem.exe
3564	filesystem.exe
4088	filesystem.exe
3556	filesystem.exe
2516	filesystem.exe
1092	filesystem.exe
228	filesystem.exe
4608	filesystem.exe
3480	filesystem.exe
2360	filesystem.exe
1600	filesystem.exe
2552	filesystem.exe
4188	filesystem.exe
4108	filesystem.exe
4984	filesystem.exe
5028	filesystem.exe
2548	filesystem.exe
4884	filesystem.exe
3788	filesystem.exe
2960	filesystem.exe
2740	filesystem.exe
2864	filesystem.exe
2000	filesystem.exe
2888	filesystem.exe
3472	filesystem.exe
1644	filesystem.exe
3232	filesystem.exe
976	filesystem.exe
1520	filesystem.exe
1600	filesystem.exe
452	filesystem.exe
4496	filesystem.exe
4140	filesystem.exe
744	filesystem.exe
412	filesystem.exe
2888	filesystem.exe
3240	filesystem.exe
3352	filesystem.exe
3448	filesystem.exe
2720	filesystem.exe
5060	filesystem.exe
3260	filesystem.exe
2072	filesystem.exe

Loads dropped DLL 64 IoCs

pid	Process
5108	notepad.exe
2020	notepad.exe
4004	notepad.exe
1488	notepad.exe
3360	notepad.exe
4812	notepad.exe
5040	notepad.exe
716	notepad.exe
4400	notepad.exe
2956	notepad.exe
2956	notepad.exe
4960	notepad.exe
5016	notepad.exe
1416	notepad.exe
2652	notepad.exe
3548	notepad.exe
3548	notepad.exe
4776	notepad.exe
2596	notepad.exe
2596	notepad.exe
5064	notepad.exe
5064	notepad.exe
3220	notepad.exe
3220	notepad.exe
1092	notepad.exe
3228	notepad.exe
4368	notepad.exe
400	notepad.exe
5092	notepad.exe
1672	notepad.exe
1672	notepad.exe
2548	notepad.exe
2548	notepad.exe
3564	notepad.exe
5044	notepad.exe
4188	notepad.exe
3132	notepad.exe
4808	notepad.exe
3940	notepad.exe
3636	notepad.exe
2412	notepad.exe
5436	notepad.exe
5456	notepad.exe
5472	notepad.exe
5472	notepad.exe
5480	notepad.exe
5488	notepad.exe
5496	notepad.exe
5520	notepad.exe
5212	notepad.exe
5212	notepad.exe
5248	notepad.exe
5248	notepad.exe
5268	notepad.exe
5292	notepad.exe
5328	notepad.exe
5312	notepad.exe
5304	notepad.exe
5360	notepad.exe
5360	notepad.exe
6096	notepad.exe
6096	notepad.exe
5244	notepad.exe
4804	notepad.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\filesystem.exe"	filesystem.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 3788 set thread context of 4432	3788	filesystem.exe	84
PID 4084 set thread context of 2740	4084	filesystem.exe	90
PID 2264 set thread context of 2516	2264	filesystem.exe	96
PID 2348 set thread context of 3956	2348	filesystem.exe	101
PID 4644 set thread context of 3700	4644	filesystem.exe	107
PID 5020 set thread context of 4448	5020	filesystem.exe	111
PID 2036 set thread context of 4860	2036	filesystem.exe	115
PID 4312 set thread context of 3328	4312	filesystem.exe	119
PID 3260 set thread context of 4240	3260	filesystem.exe	123
PID 808 set thread context of 3240	808	filesystem.exe	127
PID 3788 set thread context of 4544	3788	filesystem.exe	131
PID 3564 set thread context of 4088	3564	filesystem.exe	135
PID 3556 set thread context of 2516	3556	filesystem.exe	139
PID 1092 set thread context of 228	1092	filesystem.exe	144
PID 4608 set thread context of 3480	4608	filesystem.exe	148
PID 2360 set thread context of 1600	2360	filesystem.exe	151
PID 2552 set thread context of 4188	2552	filesystem.exe	156
PID 4108 set thread context of 4984	4108	filesystem.exe	159
PID 5028 set thread context of 2548	5028	filesystem.exe	162
PID 4884 set thread context of 3788	4884	filesystem.exe	169
PID 2960 set thread context of 2740	2960	filesystem.exe	172
PID 2864 set thread context of 2000	2864	filesystem.exe	175
PID 2888 set thread context of 3472	2888	filesystem.exe	178
PID 1644 set thread context of 3232	1644	filesystem.exe	185
PID 976 set thread context of 1520	976	filesystem.exe	188
PID 1600 set thread context of 452	1600	filesystem.exe	191
PID 4496 set thread context of 4140	4496	filesystem.exe	194
PID 744 set thread context of 412	744	filesystem.exe	197
PID 2888 set thread context of 3352	2888	filesystem.exe	206
PID 3240 set thread context of 3448	3240	filesystem.exe	207
PID 2720 set thread context of 3260	2720	filesystem.exe	212
PID 5060 set thread context of 2072	5060	filesystem.exe	213
PID 3232 set thread context of 4900	3232	filesystem.exe	217
PID 4376 set thread context of 452	4376	filesystem.exe	220
PID 4908 set thread context of 4376	4908	filesystem.exe	229
PID 3540 set thread context of 3900	3540	filesystem.exe	232
PID 2072 set thread context of 5132	2072	filesystem.exe	236
PID 116 set thread context of 5160	116	filesystem.exe	237
PID 5240 set thread context of 5256	5240	filesystem.exe	241
PID 5304 set thread context of 5320	5304	filesystem.exe	244
PID 5392 set thread context of 5408	5392	filesystem.exe	247
PID 5564 set thread context of 5580	5564	filesystem.exe	257
PID 5640 set thread context of 5660	5640	filesystem.exe	260
PID 5752 set thread context of 5780	5752	filesystem.exe	263
PID 5808 set thread context of 5836	5808	filesystem.exe	266
PID 5924 set thread context of 5936	5924	filesystem.exe	269
PID 6004 set thread context of 6020	6004	filesystem.exe	272
PID 6060 set thread context of 6076	6060	filesystem.exe	275
PID 5144 set thread context of 5176	5144	filesystem.exe	278
PID 5464 set thread context of 2552	5464	filesystem.exe	289
PID 5644 set thread context of 5640	5644	filesystem.exe	292
PID 5796 set thread context of 5852	5796	filesystem.exe	295
PID 5336 set thread context of 5928	5336	filesystem.exe	298
PID 6100 set thread context of 6116	6100	filesystem.exe	301
PID 5332 set thread context of 5420	5332	filesystem.exe	304
PID 5464 set thread context of 5652	5464	filesystem.exe	307
PID 5260 set thread context of 2244	5260	filesystem.exe	310
PID 5988 set thread context of 1776	5988	filesystem.exe	313
PID 5336 set thread context of 5796	5336	filesystem.exe	325
PID 4376 set thread context of 5672	4376	filesystem.exe	328
PID 4304 set thread context of 116	4304	filesystem.exe	331
PID 5184 set thread context of 6160	5184	filesystem.exe	334
PID 6260 set thread context of 6280	6260	filesystem.exe	337

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystem.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 4224 wrote to memory of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 4224 wrote to memory of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 4224 wrote to memory of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 4224 wrote to memory of 4852	4224	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	82
PID 4852 wrote to memory of 3788	4852	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	83
PID 4852 wrote to memory of 3788	4852	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	83
PID 4852 wrote to memory of 3788	4852	edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe	83
PID 3788 wrote to memory of 4432	3788	filesystem.exe	84
PID 3788 wrote to memory of 4432	3788	filesystem.exe	84
PID 3788 wrote to memory of 4432	3788	filesystem.exe	84
PID 3788 wrote to memory of 4432	3788	filesystem.exe	84
PID 3788 wrote to memory of 4432	3788	filesystem.exe	84
PID 4432 wrote to memory of 2140	4432	filesystem.exe	85
PID 4432 wrote to memory of 2140	4432	filesystem.exe	85
PID 4432 wrote to memory of 2140	4432	filesystem.exe	85
PID 4432 wrote to memory of 5108	4432	filesystem.exe	86
PID 4432 wrote to memory of 5108	4432	filesystem.exe	86
PID 4432 wrote to memory of 5108	4432	filesystem.exe	86
PID 4432 wrote to memory of 5108	4432	filesystem.exe	86
PID 5108 wrote to memory of 4084	5108	notepad.exe	89
PID 5108 wrote to memory of 4084	5108	notepad.exe	89
PID 5108 wrote to memory of 4084	5108	notepad.exe	89
PID 4084 wrote to memory of 2740	4084	filesystem.exe	90
PID 4084 wrote to memory of 2740	4084	filesystem.exe	90
PID 4084 wrote to memory of 2740	4084	filesystem.exe	90
PID 4084 wrote to memory of 2740	4084	filesystem.exe	90
PID 4084 wrote to memory of 2740	4084	filesystem.exe	90
PID 2740 wrote to memory of 1104	2740	filesystem.exe	91
PID 2740 wrote to memory of 1104	2740	filesystem.exe	91
PID 2740 wrote to memory of 1104	2740	filesystem.exe	91
PID 2740 wrote to memory of 2020	2740	filesystem.exe	94
PID 2740 wrote to memory of 2020	2740	filesystem.exe	94
PID 2740 wrote to memory of 2020	2740	filesystem.exe	94
PID 2740 wrote to memory of 2020	2740	filesystem.exe	94
PID 2020 wrote to memory of 2264	2020	notepad.exe	95
PID 2020 wrote to memory of 2264	2020	notepad.exe	95
PID 2020 wrote to memory of 2264	2020	notepad.exe	95
PID 2264 wrote to memory of 2516	2264	filesystem.exe	96
PID 2264 wrote to memory of 2516	2264	filesystem.exe	96
PID 2264 wrote to memory of 2516	2264	filesystem.exe	96
PID 2264 wrote to memory of 2516	2264	filesystem.exe	96
PID 2264 wrote to memory of 2516	2264	filesystem.exe	96
PID 2516 wrote to memory of 3288	2516	filesystem.exe	97
PID 2516 wrote to memory of 3288	2516	filesystem.exe	97
PID 2516 wrote to memory of 3288	2516	filesystem.exe	97
PID 2516 wrote to memory of 4004	2516	filesystem.exe	98
PID 2516 wrote to memory of 4004	2516	filesystem.exe	98
PID 2516 wrote to memory of 4004	2516	filesystem.exe	98
PID 2516 wrote to memory of 4004	2516	filesystem.exe	98
PID 4004 wrote to memory of 2348	4004	notepad.exe	100
PID 4004 wrote to memory of 2348	4004	notepad.exe	100
PID 4004 wrote to memory of 2348	4004	notepad.exe	100
PID 2348 wrote to memory of 3956	2348	filesystem.exe	101
PID 2348 wrote to memory of 3956	2348	filesystem.exe	101
PID 2348 wrote to memory of 3956	2348	filesystem.exe	101
PID 2348 wrote to memory of 3956	2348	filesystem.exe	101
PID 2348 wrote to memory of 3956	2348	filesystem.exe	101
PID 3956 wrote to memory of 4340	3956	filesystem.exe	102
PID 3956 wrote to memory of 4340	3956	filesystem.exe	102
PID 3956 wrote to memory of 4340	3956	filesystem.exe	102
PID 3956 wrote to memory of 1488	3956	filesystem.exe	103
PID 3956 wrote to memory of 1488	3956	filesystem.exe	103
PID 3956 wrote to memory of 1488	3956	filesystem.exe	103

C:\Users\Admin\AppData\Local\Temp\edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\edbbc1e26a160aa198267064c3f6be97_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
    "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
      "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        Loads dropped DLL
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        Loads dropped DLL
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3788
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        Loads dropped DLL
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        Loads dropped DLL
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        Loads dropped DLL
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        Loads dropped DLL
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        Loads dropped DLL
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:948
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        Loads dropped DLL
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:4376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        Loads dropped DLL
        
        PID:5436
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:5564
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        64⤵
        
        PID:5580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        65⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        65⤵
        Loads dropped DLL
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        66⤵
        Suspicious use of SetThreadContext
        
        PID:5464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        67⤵
        
        PID:2552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        68⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        68⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:6096
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:5336
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        70⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        71⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        71⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        72⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        73⤵
        
        PID:6864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        74⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        74⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        75⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        76⤵
        
        PID:6600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        77⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        77⤵
        Adds Run key to start application
        
        PID:7392
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        78⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        79⤵
        
        PID:7772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        80⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        80⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        81⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        82⤵
        
        PID:7916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        83⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        83⤵
        
        PID:8712
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        84⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        85⤵
        
        PID:9176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        86⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        86⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        87⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        88⤵
        Adds Run key to start application
        
        PID:9416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        89⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:8064
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        90⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        91⤵
        
        PID:8492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        92⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        92⤵
        
        PID:11072
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        93⤵
        
        PID:9428
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        95⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        95⤵
        
        PID:11908
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        96⤵
        
        PID:10864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        97⤵
        Modifies firewall policy service
        
        PID:11096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        98⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        98⤵
        
        PID:13204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        99⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        100⤵
        
        PID:14044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        101⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        101⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14340
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:13020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:14268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14600
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14704
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:12248
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Modifies firewall policy service
        
        PID:12264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:12348
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:12816
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:11704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:14204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:13528
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14364
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:10000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:9724
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:10252
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:10440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:12388
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:13236
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:12300
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14800
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:9948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:10060
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:11176
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        
        PID:11208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:10992
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:12052
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Adds Run key to start application
        
        PID:12072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Adds Run key to start application
        
        PID:11180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13784
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14180
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14320
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:8900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9500
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        
        PID:10008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:11256
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:9452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Adds Run key to start application
        
        PID:12164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:12308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:11436
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:14052
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        
        PID:8828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:8536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9372
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        
        PID:9648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10992
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Adds Run key to start application
        
        PID:11016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:10424
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11876
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:11892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:13212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:13252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13560
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:13104
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:13252
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:8860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        Adds Run key to start application
        
        PID:9160
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9392
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:9744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:10160
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Adds Run key to start application
        
        PID:11080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        Adds Run key to start application
        
        PID:10616
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11932
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:11968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13740
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14096
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:9432
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:7436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Modifies firewall policy service
        
        PID:6152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        
        PID:8668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:8904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:9200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        
        PID:10844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:9928
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:11648
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:11692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:11924
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:12984
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Modifies firewall policy service
        
        PID:13012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:12540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:12616
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        
        PID:6912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:7500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:8048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7824
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:8744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:9112
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:8888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Modifies firewall policy service
        
        PID:8524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9340
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:9348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        
        PID:10872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:9892
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11724
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:11764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:11216
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:13088
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:13120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:13188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13452
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14320
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:12828
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Adds Run key to start application
        
        PID:7284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:7680
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:7624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Adds Run key to start application
        
        PID:8544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:8212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:10160
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:10176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:9676
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10692
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:10716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11640
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Modifies firewall policy service
        
        PID:11664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:11648
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:12972
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Modifies firewall policy service
        
        PID:13004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        Modifies firewall policy service
        
        PID:2244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        Adds Run key to start application
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Adds Run key to start application
        
        PID:7320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Adds Run key to start application
        
        PID:7608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:8488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:7264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:9232
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:10100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10612
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        
        PID:10636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:8768
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Modifies firewall policy service
        
        PID:11496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:11904
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:12784
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:13884
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:13940
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:6004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        
        PID:6020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5332
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:6344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        Modifies firewall policy service
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        Adds Run key to start application
        
        PID:6216
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Modifies firewall policy service
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:7264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        
        PID:8312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        Adds Run key to start application
        
        PID:8976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:7416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9840
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        
        PID:9892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:10164
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10388
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        
        PID:10452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:10484
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:10376
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:10400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:10560
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:12496
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:11896
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14320
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:11960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:14356
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:5304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5496
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:6060
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:5304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        Adds Run key to start application
        
        PID:5332
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:6432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        Modifies firewall policy service
        
        PID:6504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Modifies firewall policy service
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Adds Run key to start application
        
        PID:7300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:8344
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        
        PID:8376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:9028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Modifies firewall policy service
        
        PID:9148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9956
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:9984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10516
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:10540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:11432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:11756
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:12692
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Adds Run key to start application
        
        PID:12712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:13572
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:14700
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:5240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5488
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:5924
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        
        PID:6116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        Suspicious use of SetThreadContext
        
        PID:6260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:6280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        
        PID:7164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:7040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:8068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        
        PID:8128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        
        PID:8584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:9676
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:9692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:10056
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        
        PID:9708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:10712
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:9432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:12220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:12412
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:12452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:12784
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14292
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:12876
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:12708
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13792
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        Modifies firewall policy service
        
        PID:5160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5480
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        Modifies firewall policy service
        
        PID:5836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:5292
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5336
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        Suspicious use of SetThreadContext
        
        PID:5184
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        Adds Run key to start application
        
        PID:6724
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        Modifies firewall policy service
        
        PID:7020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        Modifies firewall policy service
        
        PID:8128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:8016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Adds Run key to start application
        
        PID:8760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        Adds Run key to start application
        
        PID:8952
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:9824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        Adds Run key to start application
        
        PID:10092
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10356
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        
        PID:10372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:10388
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        Modifies firewall policy service
        
        PID:10492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:10636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:12592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Modifies firewall policy service
        
        PID:12616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:13292
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:13484
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:13468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:14504
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:9744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13432
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:14080
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Modifies firewall policy service
        
        PID:11400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13580
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13348
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:832
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        Loads dropped DLL
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        Modifies firewall policy service
        
        PID:452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        Modifies firewall policy service
        
        PID:5408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:5144
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        Modifies firewall policy service
        
        PID:1776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        
        PID:6372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:7600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:7304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        
        PID:9036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Modifies firewall policy service
        
        PID:9272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:8408
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        
        PID:8208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        Adds Run key to start application
        
        PID:10828
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:10364
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:8224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:11812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:11324
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:10748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:13128
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:13848
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:13944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:13980
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13904
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:11056
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12896
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13568
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13764
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13496
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        
        PID:11216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:1668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12904
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13792
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        Loads dropped DLL
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        
        PID:3900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5456
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:5640
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        
        PID:5660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:5248
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        Loads dropped DLL
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        
        PID:6904
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:6808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        
        PID:7844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        
        PID:7328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Adds Run key to start application
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:9532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:9816
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:11136
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:10728
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:4512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:12024
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        
        PID:11468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:10248
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:12552
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        
        PID:14516
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        
        PID:14560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:14612
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:10888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        
        PID:14832
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:11420
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:11492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12436
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13088
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:12168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        
        PID:14684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        
        PID:14740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:14792
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        
        PID:10584
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        
        PID:10604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:10544
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:10716
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:10876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12504
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:11520
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:11492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13420
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        
        PID:8524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        
        PID:10712
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        
        PID:10692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        
        PID:11344
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:12012
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:12108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12772
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:12056
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:12252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13804
      - C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        7⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        8⤵
        Loads dropped DLL
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        Loads dropped DLL
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:804
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        Loads dropped DLL
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        22⤵
        Modifies firewall policy service
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        
        PID:5472
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        24⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        25⤵
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        26⤵
        Loads dropped DLL
        
        PID:5268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:5796
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        28⤵
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        Loads dropped DLL
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        30⤵
        Suspicious use of SetThreadContext
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        31⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        34⤵
        Adds Run key to start application
        
        PID:7020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        37⤵
        
        PID:6304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        38⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        39⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:8016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        42⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        43⤵
        Modifies firewall policy service
        
        PID:8080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        44⤵
        
        PID:924
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        44⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        45⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        46⤵
        Modifies firewall policy service
        
        PID:8420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        48⤵
        
        PID:9604
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        49⤵
        Adds Run key to start application
        
        PID:9636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        50⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        50⤵
        
        PID:9812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        51⤵
        
        PID:9636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        52⤵
        
        PID:9432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        Adds Run key to start application
        
        PID:11248
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        54⤵
        
        PID:8524
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        55⤵
        
        PID:9180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        56⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        56⤵
        
        PID:12084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:11040
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        58⤵
        Modifies firewall policy service
        
        PID:9608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:12416
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        60⤵
        
        PID:14076
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        61⤵
        
        PID:14108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        62⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        62⤵
        
        PID:13932
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:10276
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:12040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:11488
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:4628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:13972
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10728
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        
        PID:9748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        
        PID:11392
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:12188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        Adds Run key to start application
        
        PID:12248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12800
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13416
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:12452
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        Adds Run key to start application
        
        PID:9296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Adds Run key to start application
        
        PID:10852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        
        PID:11352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:11100
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:11876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:10720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:9180
      - C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        6⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        7⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:8892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        8⤵
        
        PID:9872
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        9⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        10⤵
        
        PID:9516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:10508
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10776
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        13⤵
        Modifies firewall policy service
        
        PID:10996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        14⤵
        
        PID:11456
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        15⤵
        
        PID:10672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        16⤵
        
        PID:11420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12852
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        18⤵
        
        PID:13544
        
        C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe"
        19⤵
        
        PID:13592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        20⤵
        
        PID:12712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Key Folder\ddd882.dll

Filesize
18KB

MD5
ee6ca1a8fdd200f3c224146f28be5a7c

SHA1
87b49eaacd52f34301b65bc268ba2610c2f8d73d

SHA256
ded2245b73aeaf55db9a6f7421779c8cae32a2fc296d3d40238f51b3105083f0

SHA512
90d72bd696edab8479338d8de333fccaa8b15e75e114b1121f334bb5116b3fd50223d3e1cde2cd44c022b43bd882b68582669f8fddaaa6a2bd48041efb99ef04

Download Submit
C:\Users\Admin\AppData\Roaming\Key Folder\filesystem.exe

Filesize
166KB

MD5
edbbc1e26a160aa198267064c3f6be97

SHA1
a6f44fd2b0e1f93e8c8d333f73cbe683ed0d9325

SHA256
c86a0c40766cc80e1c67f8ae7e52881696c19b0fdceb2cb8ccad62aeefe7389b

SHA512
9c177cbc32c4b001f12c654c3878404c32b83d2826f6cafa08622f592f5a0b4d1cf4cb0c25e045c5795749d04606a6dcbe07fa119cc37c7eaf9835c665067a35

Download Submit
C:\Users\Admin\AppData\Roaming\Key Folder\sql2005.dll

Filesize
32KB

MD5
b48ce6d638090506ed0c4ac1ffe0b401

SHA1
2b9e46d25c16ec02fe586b719a5b3b6d8aa7ac37

SHA256
f141b62105eed36665f406951cd3cc02ef9d867f17b4eb2d2c2057184c36d21e

SHA512
bca9324aa48dbff0c365f0899e857e86ce4abd4c1cf3d558eba91cfff0d3d2de8191419d5d9abbfde4f6d20be4acb54b4737c00bcbf805ad2985ddf08921f0c0

Download Submit
memory/716-123-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/808-96-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1092-138-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1488-83-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-73-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2036-69-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2264-36-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2348-44-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3260-88-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3360-101-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3556-128-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3564-117-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3788-107-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3788-16-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4004-82-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4084-28-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4224-1-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4312-78-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4400-142-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4432-22-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4432-19-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4608-148-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4644-52-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/4812-111-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4852-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4852-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4852-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4852-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4852-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5020-61-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/5040-118-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5108-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads