lumma | hxxps://darknessonyx[.]com/ryoss

Resubmissions

24-01-2025 11:49

250124-nzb23axjgv 10

24-01-2025 11:46

250124-nxfx8syjhl 10

Analysis

max time kernel
418s
max time network
402s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://darknessonyx.com/ryoss

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://sheayingero.shop/api

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 12 IoCs

pid	Process
892	Bootstrapper.exe
5076	Flows.com
5648	Flows.com
5464	Flows.com
6096	Flows.com
4092	Flows.com
912	Flows.com
1200	Flows.com
4872	Flows.com
2692	Flows.com
5856	Flows.com
3308	Flows.com

Enumerates processes with tasklist 1 TTPs 22 IoCs

discovery

Process Discovery

T1057

pid	Process
3036	tasklist.exe
5960	tasklist.exe
5896	tasklist.exe
4496	tasklist.exe
2948	tasklist.exe
5148	tasklist.exe
2408	tasklist.exe
4252	tasklist.exe
5136	tasklist.exe
3740	tasklist.exe
3760	tasklist.exe
4384	tasklist.exe
3804	tasklist.exe
4268	tasklist.exe
4452	tasklist.exe
5144	tasklist.exe
5636	tasklist.exe
5820	tasklist.exe
3144	tasklist.exe
5544	tasklist.exe
4964	tasklist.exe
4968	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ElementFrost	Bootstrapper.exe
File opened for modification	C:\Windows\BirthdayBirds	Bootstrapper.exe
File opened for modification	C:\Windows\SituationYr	Bootstrapper.exe
File opened for modification	C:\Windows\FacingOccasion	Bootstrapper.exe
File opened for modification	C:\Windows\TablesThou	Bootstrapper.exe
File opened for modification	C:\Windows\AlloyDj	Bootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flows.com

Checks SCSI registry key(s) 3 TTPs 45 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "5"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
2868	NOTEPAD.EXE
4796	NOTEPAD.EXE
3340	NOTEPAD.EXE
6100	NOTEPAD.EXE
6076	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
2276	msedge.exe
2276	msedge.exe
800	identity_helper.exe
800	identity_helper.exe
640	msedge.exe
640	msedge.exe
5076	Flows.com
5076	Flows.com
5076	Flows.com
5076	Flows.com
5076	Flows.com
5076	Flows.com
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
5648	Flows.com
5648	Flows.com
5648	Flows.com
5648	Flows.com
5648	Flows.com
5648	Flows.com
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
5896	msedge.exe
5896	msedge.exe
5464	Flows.com
5464	Flows.com
5464	Flows.com
5464	Flows.com
5464	Flows.com
5464	Flows.com
6096	Flows.com
6096	Flows.com
6096	Flows.com
6096	Flows.com
6096	Flows.com
6096	Flows.com
4092	Flows.com
4092	Flows.com
4092	Flows.com
4092	Flows.com
4092	Flows.com
4092	Flows.com
912	Flows.com
912	Flows.com
912	Flows.com
912	Flows.com
912	Flows.com
912	Flows.com
1200	Flows.com
1200	Flows.com
1200	Flows.com
1200	Flows.com
1200	Flows.com
1200	Flows.com

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
13844	Process not Found
11320	Process not Found
14860	Process not Found
17268	Process not Found
7516	Process not Found
14896	Process not Found
11492	Process not Found
8036	Process not Found
10000	Process not Found
13132	Process not Found
7524	Process not Found
14648	Process not Found
16620	Process not Found
13676	Process not Found
8644	Process not Found
6944	Process not Found
16808	Process not Found
17048	Process not Found
16608	Process not Found
16804	Process not Found
8592	Process not Found
4996	Process not Found
15656	Process not Found
6968	Process not Found
17364	Process not Found
16020	Process not Found
16776	Process not Found
17380	Process not Found
2244	Process not Found
15820	Process not Found
14508	Process not Found
7440	Process not Found
13536	Process not Found
15824	Process not Found
14768	Process not Found
16372	Process not Found
13284	Process not Found
620	Process not Found
5968	Process not Found
5972	Process not Found
15780	Process not Found
16524	Process not Found
828	Process not Found
836	Process not Found
780	Process not Found
1996	Process not Found
3956	Process not Found
408	Process not Found
5092	Process not Found
3452	Process not Found
1368	Process not Found
2572	Process not Found
11196	Process not Found
14988	Process not Found
16144	Process not Found
3248	Process not Found
2984	Process not Found
5492	Process not Found
4304	Process not Found
4340	Process not Found
4260	Process not Found
4896	Process not Found
4416	Process not Found
4988	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5840	7zG.exe
Token: 35	5840	7zG.exe
Token: SeSecurityPrivilege	5840	7zG.exe
Token: SeSecurityPrivilege	5840	7zG.exe
Token: SeDebugPrivilege	5636	tasklist.exe
Token: SeDebugPrivilege	5820	tasklist.exe
Token: SeDebugPrivilege	5136	tasklist.exe
Token: SeDebugPrivilege	5544	tasklist.exe
Token: SeDebugPrivilege	3352	taskmgr.exe
Token: SeSystemProfilePrivilege	3352	taskmgr.exe
Token: SeCreateGlobalPrivilege	3352	taskmgr.exe
Token: 33	3352	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3352	taskmgr.exe
Token: SeDebugPrivilege	3740	tasklist.exe
Token: SeDebugPrivilege	3144	tasklist.exe
Token: SeDebugPrivilege	4384	tasklist.exe
Token: SeDebugPrivilege	5896	tasklist.exe
Token: SeDebugPrivilege	4496	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeDebugPrivilege	3760	tasklist.exe
Token: SeDebugPrivilege	3804	tasklist.exe
Token: SeDebugPrivilege	4268	tasklist.exe
Token: SeDebugPrivilege	2948	tasklist.exe
Token: SeDebugPrivilege	5148	tasklist.exe
Token: SeDebugPrivilege	4452	tasklist.exe
Token: SeDebugPrivilege	2408	tasklist.exe
Token: SeDebugPrivilege	4968	tasklist.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	4252	tasklist.exe
Token: SeDebugPrivilege	5144	tasklist.exe
Token: SeDebugPrivilege	5960	tasklist.exe
Token: SeCreateGlobalPrivilege	15772	dwm.exe
Token: SeChangeNotifyPrivilege	15772	dwm.exe
Token: 33	15772	dwm.exe
Token: SeIncBasePriorityPrivilege	15772	dwm.exe
Token: SeCreateGlobalPrivilege	16472	dwm.exe
Token: SeChangeNotifyPrivilege	16472	dwm.exe
Token: 33	16472	dwm.exe
Token: SeIncBasePriorityPrivilege	16472	dwm.exe
Token: SeCreateGlobalPrivilege	9844	dwm.exe
Token: SeChangeNotifyPrivilege	9844	dwm.exe
Token: 33	9844	dwm.exe
Token: SeIncBasePriorityPrivilege	9844	dwm.exe
Token: SeCreateGlobalPrivilege	14252	dwm.exe
Token: SeChangeNotifyPrivilege	14252	dwm.exe
Token: 33	14252	dwm.exe
Token: SeIncBasePriorityPrivilege	14252	dwm.exe
Token: SeCreateGlobalPrivilege	17156	dwm.exe
Token: SeChangeNotifyPrivilege	17156	dwm.exe
Token: 33	17156	dwm.exe
Token: SeIncBasePriorityPrivilege	17156	dwm.exe
Token: SeCreateGlobalPrivilege	13132	dwm.exe
Token: SeChangeNotifyPrivilege	13132	dwm.exe
Token: 33	13132	dwm.exe
Token: SeIncBasePriorityPrivilege	13132	dwm.exe
Token: SeCreateGlobalPrivilege	8592	dwm.exe
Token: SeChangeNotifyPrivilege	8592	dwm.exe
Token: 33	8592	dwm.exe
Token: SeIncBasePriorityPrivilege	8592	dwm.exe
Token: SeCreateGlobalPrivilege	16964	dwm.exe
Token: SeChangeNotifyPrivilege	16964	dwm.exe
Token: 33	16964	dwm.exe
Token: SeIncBasePriorityPrivilege	16964	dwm.exe
Token: 33	16220	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
5840	7zG.exe
5076	Flows.com
5076	Flows.com
5076	Flows.com
5648	Flows.com
5648	Flows.com
5648	Flows.com
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
5076	Flows.com
5076	Flows.com
5076	Flows.com
5648	Flows.com
5648	Flows.com
5648	Flows.com
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
2276	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4208	2276	msedge.exe	83
PID 2276 wrote to memory of 4208	2276	msedge.exe	83
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4564	2276	msedge.exe	85
PID 2276 wrote to memory of 4760	2276	msedge.exe	86
PID 2276 wrote to memory of 4760	2276	msedge.exe	86
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87
PID 2276 wrote to memory of 2040	2276	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://darknessonyx.com/ryoss
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9ef746f8,0x7ffd9ef74708,0x7ffd9ef74718
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9933085676007479069,3912368249449790467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5744

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\R-e-l-v-x64\" -spe -an -ai#7zMap14694:84:7zEvent8621
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5840

C:\Users\Admin\Downloads\R-e-l-v-x64\Bootstrapper.exe
"C:\Users\Admin\Downloads\R-e-l-v-x64\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Peak Peak.cmd & Peak.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 177979
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6112
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Flyer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3216
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "tone" Intensity
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5548
- - C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
    Flows.com I
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5076
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5428

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Peak.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.cmd" "
1⤵
PID:6116
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:4864
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5544
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:5936
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:3700
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:4928
- C:\Windows\system32\findstr.exe
  findstr /V "tone" Intensity
  2⤵
  PID:5952
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5648
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:4996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:3344
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:4488
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:4928
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:5432
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:5844
- C:\Windows\system32\findstr.exe
  findstr /V "tone" Intensity
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:5048
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:3820
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:4816
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:1596
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5896
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:4024
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:5396
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:4016
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6096
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:6048
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:2408
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:5524
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:2800
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:4872
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:1436
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:5932
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:1312
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:5912
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Peak.bat"
1⤵
PID:3308
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:412
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:4016
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:4504
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:4816
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:5784
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5148
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:4828
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:5196
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:5608
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:5756
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:3948
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:2944
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:4572
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:3760
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:5600
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:724
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:1544
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:1924
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5856
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Peak.bat" "
1⤵
PID:440
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\system32\findstr.exe
  findstr /I "opssvc wrsa"
  2⤵
  PID:6140
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\system32\findstr.exe
  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
  2⤵
  PID:948
- C:\Windows\system32\cmd.exe
  cmd /c md 177979
  2⤵
  PID:5968
- C:\Windows\system32\extrac32.exe
  extrac32 /Y /E Flyer
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  cmd /c copy /b 177979\Flows.com + Baby + Monday + Franklin + Keyword + Native + Box + Indeed + On + Mutual 177979\Flows.com
  2⤵
  PID:3520
- C:\Windows\system32\cmd.exe
  cmd /c copy /b ..\Scheduled + ..\Metadata + ..\Columns + ..\Challenges + ..\Age + ..\Burner + ..\Ideas + ..\Three I
  2⤵
  PID:5744
- C:\Users\Admin\AppData\Local\Temp\177979\Flows.com
  Flows.com I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3308
- C:\Windows\system32\choice.exe
  choice /d y /t 5
  2⤵
  PID:4168

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cmd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
1⤵
PID:4364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4680
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2860
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3924
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3620

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cmd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
1⤵
PID:5936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1444

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cmd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
1⤵
PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5784

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cmd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
1⤵
PID:6052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:17292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1420 -p 15056 -ip 15056
1⤵
PID:2176

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:16472

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9844

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14252

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:17156

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13132

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8592

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:16964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:16220

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:9204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:16132

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4476

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:16460

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:15512

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:14548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\97f13049-3e1a-44c0-b79d-49c17d57829e.tmp

Filesize
10KB

MD5
44372936e41fef8d0a8a4b0fb85dcd2e

SHA1
311c055fc0abb5d09cd842a170c527dab33b778e

SHA256
b8ffd3ff8dbe1e15db23aa2a67079ac9094a77779e1025e3f3e373379948b56e

SHA512
f5feda2f701793979b43b37e09a4ac838b1d5cdc5f36e66772e5c5c676ba6af6d5d6b9d15e08a1f090e47ab1c2b419966ab344aca7e03affa58a4361194efcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
41d437d61eb79b054768909b22738775

SHA1
7448470580ed32756c0def5ce83b04a77e5ef025

SHA256
93afa43b53af5b5b2fd4474fa9f9d63b0952cefbe103e7746c32c1c20b85f371

SHA512
f3d75781d534e53e88e7fdf20e8f9af2e5a9f2a50dbec7708de5c15cfd242d0cd85143e53de2fa948cade3c50166bf22301090104d62a37e97b986b9e6290e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
34ab901671854e41bce43679eed40eab

SHA1
5c2f05dabf72fb3b8d00393d786284e4d66d9179

SHA256
a0102af6063ef8f536b3520ed00f87658fc168fb63b1a39fcb4544d593bbe53d

SHA512
2c314c54dfd562a8482ddca87aa7293d3412978a9e1e1ae7d3c7ccf54dc0fd25be567c5607fa6f4c55d46db0b340ea639993f73f97d5508a2db260d6cacbc914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5d216aeb55f9df9a83bc62b3bdc38e25

SHA1
d8b05af2e6cfe5d01fa92e77d2536146833cb22a

SHA256
50d7a79e6137629fa07b6dc9fc048cebfd2392578633d59b697e6855809ff96a

SHA512
558313a677c91fe2c5e921bf78c755d8619be03712d8f11984ed5d9835e2060f6fd9bfff7a2b76bb1e32a0145e3bdaac09499adfb721aa501cda6970e037c095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
84a19e7a76d84d95ae83108d2cd1aaf6

SHA1
eb2a57fda8478896f93afa0b51005797ab643aa0

SHA256
cebcb0a85617cbe007b4aacd0a57c0ad00ff42209bcdb7025c611ac5ba7c4c26

SHA512
8d03ca417230d7bf2be90e34ec0d24009ab57de47ea9e829423e6524fe3fd55f02fd037595f79b51dfb4c6f133fcdda76e73e706d17f38fc6d15e4faf896127a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f5edbd51230bd8cbc8427927553389dd

SHA1
4f35005cc8026b8896097b0ed4554fe09416bfcd

SHA256
a39930b36cf6a6413be35ca8ab380d54a22103bdf13f52b3559d344d653e6689

SHA512
ba7da4b23003da137a590e102f8a4bcd3a3d6a613375fe1ac4880530244324f1f15cc189c2603413c9a92525ff5f141fc8517a72b394310908ead9c5b7f7cdfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7a6073625f1fca3de781d1bd2c07acd2

SHA1
7609b7b2a4577e58f5a0423ce01cf6cebafc613b

SHA256
4ad209100505a8abbd1c9bf155323258368299085a72e91ae83a5b25e87f416d

SHA512
a853c32e11b861e4e32f8857c67cf7368395660f1cff9e3596357eec0edaa226998e08c27449ad60e0edc2b6b6fb2d7fb39c2ce7c33eedb081555c9745e30ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
50d9b5fc1fe716094ff9a6b3ca97acaf

SHA1
6fb1e68bc9a9e8208b62aae18932617d94a9011d

SHA256
0534bc55b2056a05ac356bee298f75474cffc96c79b4c632464c153ae47e071b

SHA512
1928f05953feee55c476074172951adf8b1944aaaa7907ed876adaec89cd6e4a414a6f21af214b08ed2496cf91943f7d7f582f6d3115fdb7c7c83634df5e51e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c5193d2bc60ef1fcc961acab13ba728

SHA1
07cc34cc2e3495e2990f32f0455d452ef2748fad

SHA256
56ac751437954eda26a6c96f4fe998ba4291d2a445211f62b089d4e9e21beb3b

SHA512
d16a3a81be225cfe7d8b2d5a364cbf9fcabb9ff5e93f591a9c63484138bdcfed68885eb6e1a08651c1230466a71ae2a3ab533dbed180bb36215b4b894553082a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db077ef2c2639f7973f2ef0bb2376fef

SHA1
db3335067077b67b88a287eafcafeaa6ab5d8a9d

SHA256
bb1dea24f8e032d3258ea1b4de3f4495b515a5ccc2c10c3e60ff913a248a55b1

SHA512
383350e07cfc9e1adcf30504c4d31de26ce9ffd34fa5c990f9a137172b1a89cdeac101143ed8c92acf84a4a20515a4a39bf6a637e122e393a7d3269a9a8afede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e9d86bf44e3fa88416789b140fd9db2

SHA1
248cd2c66a6741f54b4c175f8ee8de2904e271af

SHA256
89fac6eaf68a15cca4acd7a3de838a63438ce81f94e16a120fbd7f53fee1630a

SHA512
da147e00053c099530eb41030bc3ac1577126bc31eef1500c75b80dc68eafd26264d8c08df283d5711eb14270512085cc7ed5317641237c4c1d49ec09697d05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
0287a0437f7fe230d4312f97a002965d

SHA1
d271318c99f943edc1231b6b27807e3944b21b9d

SHA256
0615c1e1239a77e6d1ea3c3c45adc72c09b93ba4fb788813fee6618231162100

SHA512
f1ad2d72c33f9e27faac970ad51665fa3054d77d8eb26317c3e935ede98c46a3ff1b464a6d0bcefed9c5bffad7b2cc5a8a98f0a6ea28fdf071aa73988dd2018e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c932.TMP

Filesize
706B

MD5
c22874381cabf078d97c7ccc390e4c16

SHA1
1fd4e819ef6e7d8f4e391ef8586a1ab181c84d8e

SHA256
449bbac90fc8825aaccbd927173641ad689884bf5f279a0133df5ddb1dd1c737

SHA512
aafcf7d8c5b6d4203a28ea1f76cf748e1ef7ca191785df5f816c07175d8f1137aaf83ce384b44ae60a6fe06e452e639e9123dd0e3bbd6acdd220b2629cb14ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d25a8493a37230101d4870aec6710f00

SHA1
6f52a67b9d3f46990c338c08772016d1726e7ef0

SHA256
facceceafe7cc07bb0af2a5cce1ccc8378138c6068f02d40044bf493438a22a5

SHA512
255beec5abecd58a206c15152287daf3b3f42492d148a2d5afb3108b2c45ca77505cf9ccfbbbda949181cd1ed1427de2d8a8bce360d1daf953658a66799531f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
47c878152dbd89a52a2be3377e2a8bfd

SHA1
1b42d2e56f38e2c27a7744890ed682ef336fa931

SHA256
38d13ca049c4ba3e62fadb3acae174967b81da4a6a37d26bd761826a1052cd9e

SHA512
31feaec7b86171781176cfaabc29144e46f8718e70e251fc030b9492b7552af9149c45a040e710d5c1b679500d7a8236b89f1aa4fef878cf1bffd7b43b7c37f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe01eb96d20b6f226e2d8200392360d7

SHA1
7fbc3f999d6a591a8a2c93981f2cc8887267965c

SHA256
c5673089bf993a397deae83414b8e89e239687c62588ecc7d54f50ca2fff8a94

SHA512
ac090c14bf5ef3ece747551cc3d6e4c276b3b457e7995d76ccff231d29437afd030768acc6502bb355f858fee3a54de576592f3a1131a064a1faa7a25cf6c592

Download Submit
C:\Users\Admin\AppData\Local\Temp\177979\Flows.com

Filesize
1KB

MD5
8f9d821f8d7a79581a2ab3a0986a78f1

SHA1
b7bf35a298f8c440c28957e54f636dd91e35e31c

SHA256
a22de98030a228592c7d75a2c6fae0a637d7b4e8a2c52da61fef50f88478a86c

SHA512
0989650bd42270d5dc15bc77f8ee01e37b8dcbb3043a623cc5c1e8fff9bba8970b149cbc57281f4facb41509455f5af684a03cf96fadaedcb50d1e0f856ab9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\177979\Flows.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\177979\I

Filesize
477KB

MD5
8ce37257e647eafc2b435f2b56f2b33e

SHA1
beb990946ba7aa30d7f3f0c5242c5ff74ad2290d

SHA256
7385853f9d1e0473cffea742bdc89c69eabae19750402f7644c5e9c7274685db

SHA512
9e43b761faee231f440d405a429cdd4c45e155602988929ace1f34946951d18fd08a6b833e866642001a58b42971cee678667e5490adfb80f004a025f377e7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Age

Filesize
60KB

MD5
84692b422690f4852cb88836dbb1e0b0

SHA1
931fd3f161113cb84407455b7786dd63bba3c15a

SHA256
cc2f5e9bac8af1aaf86d2c004f1b2234261b6722c1b821c2153d1835372ee875

SHA512
74f5610074976dc96c6e387e9719f789b4a2c4ec0cb1cafd20452df7b268a9468672a38169c447d534261ab7b085c135828bc0c84dc5831d5c82e3cd36161fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Baby

Filesize
133KB

MD5
a86c655555e2e198272d833d78eb743b

SHA1
0f6bb609d65d8ae521f15f2306162e69469c57c8

SHA256
d6108619ca2f1670ef01ec58fd62d98c84877c7d6cec6075f27e7b926d71de12

SHA512
26b4319d1fd657f3e66395fd8db2b229358d487c685a4d6ac42d61c7604eb9920b2da6c16fcfd6e81ed512edc715630122fd8b9a6066ee3e96c0155ea1273eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Box

Filesize
71KB

MD5
1b2da465247a01a3b76472249a3d0deb

SHA1
616f32ade9272c6d240506b8a74bdcccea9304ae

SHA256
94d5c530034c5ec9506c5e3b52def91b4e79b9222d7da2b712d00fe6f002d35b

SHA512
dfe9da0f3b449c24c751d4c0cda6a0377d1070461c4f25b1900057a02108c5768e350f0c0e217716cec77001a4f629e14f64d55894ff19f73f36c3e24abbeef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Burner

Filesize
64KB

MD5
878f18ed4b302e6c94d0a190d145f697

SHA1
c67320a66d6148485dec9075081db6957ef50e3c

SHA256
96e0e15abacaa99c9120b398a4d0c9eecfb08d789666940b74759ce913979713

SHA512
8545bcf1a979bae7c1de2aa34a5198ec772161d021e3fb302de4bb631a6796dddc9093f91b7ba14e4d41327c463bb61d2ff0b1fa8bb48c7cdc9808d5cc2f652f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Challenges

Filesize
94KB

MD5
0fd905bd29e18e664e3d3d9a6bb06ae6

SHA1
f532f1ba93228a60a483b40e4cd9c41e08877a27

SHA256
958643e7eba918e3867e1813480038d19716f39740d882755b7030ad8ac3bffc

SHA512
22416b891d9cb11adb5a5483e7eda868df6e5439ccfc635c077206c030d1814070c52718dedd3307983982d92a57b9644afd66f8e4936905da04ad4a3837f7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Columns

Filesize
56KB

MD5
1c070e2cfeee36acf2fc7eb8c940ea66

SHA1
bb0e3d8db79e93bc732227bf3b5328c34e2dc254

SHA256
9a34487568789c5baff8a4fc46f0759d8d7cc06189ccbff928c3f6f2a0cb3cbd

SHA512
d58a8eaa563a6f092d062f5d31b16195c48b9ac5a657c8e2dbcf658c000b24bbc092d2526a4976f820318a0586037b9e707b1b2f06b8c972e34b7f767c5024c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flyer

Filesize
476KB

MD5
0338ef5a811b1886bc1c34f368cb2ffa

SHA1
d4c5d8a923c3271e1fd283ec1d8163b67db4dbbf

SHA256
3ddd2fe9b650e01e2f8b8940c47d5fc5039962a2f5315646c0baad6a2fdb0fa2

SHA512
8b0596bc09da58e88a959d3d73128e1db6c3095b283ee2e96be7048d055988c27b45f4a256ccaa22d489082262722900b8d01afd511efb8187153265266aced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Franklin

Filesize
93KB

MD5
56e4414823fd2b7142284ed6d5a363b7

SHA1
64ee8eff5dc6de329ca71d2bdc8280a55dde95ba

SHA256
c5a5cfbf1ad6b80af7b467a232a5c016f8e077e5e33a84c306bea7fd3c5b319b

SHA512
6e8f863ac5473e528a6eef96c07a56bdf2cd5572f2df68cf6745d5819c367160edcb098a378ef4d7de4814aa4a09705d1d11be2aa949c44b7d56f201952881bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ideas

Filesize
60KB

MD5
7b55e663410315b46b7c6cf9694f2608

SHA1
052f23cbbb5534826753018adc62f29cc7ae94d9

SHA256
37e34e0e46968b68e412ea504b05c5156252dae0b70e0687ba90271f04bb45d1

SHA512
dc4c6c0b7b3d633aa7d07bac7ee093867c043086bab2d0a450a726f9eef7a75f9b6406b567a1dcfbbc6d4fe87b89dfbb772f41e4aa2a90e0464edde3ea6a1479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Indeed

Filesize
147KB

MD5
09c30eb57d7b8d5b6d2bed9172d72dba

SHA1
fc927ce49b240a9074d7cebc24ca184edbd8a1bf

SHA256
b321aaeea6b3b59d803228074d3d92a1f3c708c6b7ea46147c95511215cc105b

SHA512
fc34121fbbef228a8b250142cc10d47de6969f13d22d539c5e4411fe0af2c1117636413092e8fd756354b634a42f47bd6e584700ca79f8ab3113ad64f6ad2fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intensity

Filesize
1KB

MD5
f61e65c8b5e558627396ed8261aee6a4

SHA1
9a35551af1d6bf2ffa97d15ec9c5b39d0f6d505a

SHA256
86d914001ade248c24ebdc8e38e39565c4f5bc2bd05deb357cae22d805707d72

SHA512
65be47472dca6c4eb8e099d54dedb8169486449832ff29ed563d632954d48789731b16fb442717efed0b5742e7a672c11e032fd4ccfde6b6e0cd77a32e8c9b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keyword

Filesize
124KB

MD5
6349c17c75b1138329f07491744a9ed4

SHA1
840c353b3f6a3dfc0b75bb389e2d9903c98890d2

SHA256
15c91f0da6a7118a864f230d59149f8d56bf3d50404fd5b5c2b610a5dab0d293

SHA512
bea4e290e2b7a246e42facd5a987894b267881f26154d67f56b179168b1da9c9338d41f9808f63e1d0de8995c50e321e44d228d1cef761ea8faf9f159904b787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Metadata

Filesize
68KB

MD5
2a0bf741f448dd30696be8f465b5b833

SHA1
b4a2c57793378236bf3c50c1fb45fcc1920fbbca

SHA256
3a3a09f732bb2b46fd1ef87e67088be5614dffe9fa661afa8acf2d7764ab7496

SHA512
269a5e255b674017086e2bc74ef8c6f7f14176e923283cbf8113ebcd5d585b485f5b43f9aec6ae9ffcdb6e8d5248c8bb70e65b3647ff7f10409938313ec96c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monday

Filesize
84KB

MD5
b8eac858c394e989430167327a8ae7cf

SHA1
c7226e8012f0888b7bec48d0afade50534db1fdc

SHA256
45dd80aa6a648289f7f13b413884b6e288018c8178bce3df58c53b49e51f68fc

SHA512
5f6005be3db377c0050189d8ddab64f1e43e61f0471a6239d03af705f51cdb3d64ba3011fdb8c9c7d569cf4321f0abb13a0fcf1f088397fae390d5bcc4aaf802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mutual

Filesize
67KB

MD5
07d393f56efd3b9326606b437b71f1d4

SHA1
bd63b40e51e2e6c68a266e9f06f20b94e29c882c

SHA256
f0ef7a9e9dce3aebcf8e05805ba9c1c912c4faae9e01b9ca3efd2ec83f528414

SHA512
ad6471df9322535eb862d86cbd342ddf3e744932889972d310412b06c0a66af807f708c115232f29278c074ec9611896e91876a99ba468494bd4304a1378f559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Native

Filesize
90KB

MD5
b09fe66fe9ba0c96d5f09e3cceaf61a8

SHA1
04e173e7bc1d3c632d206b2f38bdd2bac4b40a21

SHA256
b5f56cd6ac094dec19e7b1ff1ed162dc07d4ca3af7579adca5ac9c43a44640dd

SHA512
746a22266eb2c8d8d89de5dd3c605ead29d2bf0b172bdedcd6d298126dcc02522707e488c3400cd2edb7cd0265a7e12212b16ff336f148a39a252055c653a959

Download Submit
C:\Users\Admin\AppData\Local\Temp\On

Filesize
114KB

MD5
6c1c4f39f2bb55057641898e3d376930

SHA1
b43b16c85687517d3dd83f82b6b421304f7e628d

SHA256
48e5d116dc1494dbd8905eec10832aa7ce19f4f812d91514ab6fce5ce6f57cf7

SHA512
ff4ee5c654f50bea1fb92ace656c952ef573759f08ce072468d5029e6c38d77609a200de54f49c68c9fecf6ed515dd2864ba3acb1a5ce523d6a3efae9745a3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peak

Filesize
30KB

MD5
20718b8b13d6d0de153980d6759d39e5

SHA1
d3ac2a4ea8dcbe0f74f4ac148c4567aeb6f707ad

SHA256
abaa9a49fce5f6ee29eb407c9aa85961ab8f256a322e3309cf7c874ef7a56e9b

SHA512
2864b793a479410ea6ba152490ff313e40a6357444245fb4935777d9ebf854918bc5ddbf8d4b3d348a94b5931501664cc1d41b5617b10e62bdd24efba60fd0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scheduled

Filesize
56KB

MD5
99b09fb9fba65c428078b8ccd89f90ea

SHA1
c1ec375fa1c9ac8323fa156596ff7694b4b18dc4

SHA256
86bc96aaf2de8304b80d0ee08ea403686c2dca2c5c623eb7692ab85b41217910

SHA512
8fe7a7ed45a52ce4b6b0b0a325349d14598953f056f331d4aba128c11dbcf06f6b1f1ee58e92dcc7f7569e60fc97561118841dba8a77b0c32e2ee95dde964e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Three

Filesize
19KB

MD5
2e94c6d5accc6a1afec513fc9bffce73

SHA1
f58f072d322645b8160adf57e4de7383dd5668c6

SHA256
6f8378f9fbde1d7f59f5ff455f8aab61eea7fa7c591f05bf88f761be2cbaeb65

SHA512
c62b03e9320333c174b04988d33af71dfbd9a37aaa8518847a2bf14a29a1c761481c6869d59b7f089a775cc06f023fc93c5924da47f2ca25fb696e4fccfd4ffe

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859757.crdownload

Filesize
12.4MB

MD5
58f3bb56a8e3d9c9d2d98af985a1e801

SHA1
dea99dab71d1d9e7b90c8dc085d14a0785000691

SHA256
016e318c67ce354a25edcf06f61eab9511b117a839851e0d193eb06ec0d7599c

SHA512
a286b32b7fcaafc7513dfdca87da757b1c183f937583a2e17e320c97e6f05bc774e7d61fbf1bed5f7690d8b8762fb549b0fa325a256208f1ce1ab83f195b8b92

Download Submit
memory/3352-1023-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1028-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1027-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1026-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1025-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1024-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1022-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1016-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1017-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/3352-1018-0x0000014AE0540000-0x0000014AE0541000-memory.dmp

Filesize
4KB

Download
memory/5076-931-0x0000000004420000-0x000000000447B000-memory.dmp

Filesize
364KB

Download
memory/5076-932-0x0000000004420000-0x000000000447B000-memory.dmp

Filesize
364KB

Download
memory/5076-933-0x0000000004420000-0x000000000447B000-memory.dmp

Filesize
364KB

Download
memory/5076-934-0x0000000004420000-0x000000000447B000-memory.dmp

Filesize
364KB

Download
memory/5076-930-0x0000000004420000-0x000000000447B000-memory.dmp

Filesize
364KB

Download