phorphiex | bc4707c1d81c7978cf963c26b3cc69585cb8aaa8e4b5859cc4688220db88f9d0

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000d0000000243d5-1120.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/10660-1219-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1220-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1218-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1217-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1216-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1214-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1213-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1221-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10660-1222-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
9	3168	wscript.exe
11	3168	wscript.exe
15	3168	wscript.exe
24	3168	wscript.exe
124	3168	wscript.exe

Blocks application from running via registry modification 14 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4896	wbadmin.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Updater = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-VirusScript = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5876	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File created	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File opened for modification	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/10660-1219-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1220-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1218-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1217-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1216-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1211-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1214-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1207-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1213-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1212-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1210-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1208-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1221-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10660-1222-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\advapi32_ext.vbs	wscript.exe
File opened for modification	C:\Windows\advapi32_ext.vbs	wscript.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
12124	sc.exe
7576	sc.exe
2880	sc.exe
8144	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4224	vssadmin.exe

Kills process with taskkill 64 IoCs

pid	Process
11080	taskkill.exe
3820	taskkill.exe
10172	taskkill.exe
9436	taskkill.exe
7316	taskkill.exe
8480	taskkill.exe
6568	taskkill.exe
5424	taskkill.exe
6264	taskkill.exe
2036	taskkill.exe
11960	taskkill.exe
716	taskkill.exe
12284	taskkill.exe
11496	taskkill.exe
7076	taskkill.exe
11192	taskkill.exe
6204	taskkill.exe
8124	taskkill.exe
4476	taskkill.exe
7252	taskkill.exe
7548	taskkill.exe
5540	taskkill.exe
6032	taskkill.exe
8892	taskkill.exe
11504	taskkill.exe
12292	taskkill.exe
6248	taskkill.exe
11080	taskkill.exe
2036	taskkill.exe
7672	taskkill.exe
7728	taskkill.exe
9724	taskkill.exe
7824	taskkill.exe
8580	taskkill.exe
9456	taskkill.exe
3836	taskkill.exe
5996	taskkill.exe
13284	taskkill.exe
2072	taskkill.exe
300	taskkill.exe
3224	taskkill.exe
7184	taskkill.exe
4552	taskkill.exe
12800	taskkill.exe
6220	taskkill.exe
7844	taskkill.exe
6168	taskkill.exe
11868	taskkill.exe
4880	taskkill.exe
13240	taskkill.exe
384	taskkill.exe
10564	taskkill.exe
7188	taskkill.exe
9176	taskkill.exe
11700	taskkill.exe
8140	taskkill.exe
11408	taskkill.exe
11704	taskkill.exe
4968	taskkill.exe
8548	taskkill.exe
7064	taskkill.exe
760	taskkill.exe
10096	taskkill.exe
7868	taskkill.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Mouse	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop	wscript.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{BD43B5F3-AEB5-4523-8FD8-A0C70ACB3FC1}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	calc.exe

Opens file in notepad (likely ransom note) 18 IoCs

pid	Process
8408	notepad.exe
3500	notepad.exe
9424	notepad.exe
9832	notepad.exe
10000	notepad.exe
9476	notepad.exe
13004	notepad.exe
3480	notepad.exe
11292	notepad.exe
10576	notepad.exe
13100	notepad.exe
10028	notepad.exe
12600	notepad.exe
428	notepad.exe
8084	notepad.exe
12364	notepad.exe
5456	notepad.exe
12976	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5876	powershell.exe
5876	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 55 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeBackupPrivilege	4540	vssvc.exe
Token: SeRestorePrivilege	4540	vssvc.exe
Token: SeAuditPrivilege	4540	vssvc.exe
Token: SeBackupPrivilege	4848	wbengine.exe
Token: SeRestorePrivilege	4848	wbengine.exe
Token: SeSecurityPrivilege	4848	wbengine.exe
Token: SeDebugPrivilege	5672	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeSystemtimePrivilege	3916	cmd.exe
Token: SeSystemtimePrivilege	3916	cmd.exe
Token: SeDebugPrivilege	5208	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	6048	taskkill.exe
Token: SeSystemtimePrivilege	2012	cmd.exe
Token: SeSystemtimePrivilege	2012	cmd.exe
Token: SeSystemtimePrivilege	4248	cmd.exe
Token: SeSystemtimePrivilege	4248	cmd.exe
Token: SeSystemtimePrivilege	5208	cmd.exe
Token: SeSystemtimePrivilege	5208	cmd.exe
Token: SeSystemtimePrivilege	1916	cmd.exe
Token: SeSystemtimePrivilege	1916	cmd.exe
Token: SeSystemtimePrivilege	5480	cmd.exe
Token: SeSystemtimePrivilege	5480	cmd.exe
Token: SeDebugPrivilege	6572	taskkill.exe
Token: SeSystemtimePrivilege	2744	cmd.exe
Token: SeSystemtimePrivilege	2744	cmd.exe
Token: SeSystemtimePrivilege	5248	cmd.exe
Token: SeSystemtimePrivilege	5248	cmd.exe
Token: SeSystemtimePrivilege	2004	cmd.exe
Token: SeSystemtimePrivilege	2004	cmd.exe
Token: SeSystemtimePrivilege	4972	cmd.exe
Token: SeSystemtimePrivilege	4972	cmd.exe
Token: SeSystemtimePrivilege	3652	cmd.exe
Token: SeSystemtimePrivilege	3652	cmd.exe
Token: SeSystemtimePrivilege	1628	cmd.exe
Token: SeSystemtimePrivilege	1628	cmd.exe
Token: SeSystemtimePrivilege	5592	cmd.exe
Token: SeSystemtimePrivilege	5592	cmd.exe
Token: SeSystemtimePrivilege	3264	cmd.exe
Token: SeSystemtimePrivilege	3264	cmd.exe
Token: SeSystemtimePrivilege	5716	cmd.exe
Token: SeSystemtimePrivilege	5716	cmd.exe
Token: SeDebugPrivilege	6164	taskkill.exe
Token: SeSystemtimePrivilege	6844	cmd.exe
Token: SeSystemtimePrivilege	6844	cmd.exe
Token: SeSystemtimePrivilege	1764	cmd.exe
Token: SeSystemtimePrivilege	1764	cmd.exe
Token: SeSystemtimePrivilege	6960	cmd.exe
Token: SeSystemtimePrivilege	6888	cmd.exe
Token: SeSystemtimePrivilege	6888	cmd.exe
Token: SeSystemtimePrivilege	6960	cmd.exe
Token: SeSystemtimePrivilege	6884	cmd.exe
Token: SeSystemtimePrivilege	6884	cmd.exe
Token: SeSystemtimePrivilege	6388	cmd.exe
Token: SeSystemtimePrivilege	6388	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5024	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5568	OpenWith.exe
3052	OpenWith.exe
1628	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5940 wrote to memory of 3168	5940	WScript.exe	87
PID 5940 wrote to memory of 3168	5940	WScript.exe	87
PID 3168 wrote to memory of 5876	3168	wscript.exe	88
PID 3168 wrote to memory of 5876	3168	wscript.exe	88
PID 3168 wrote to memory of 5180	3168	wscript.exe	90
PID 3168 wrote to memory of 5180	3168	wscript.exe	90
PID 3168 wrote to memory of 1400	3168	wscript.exe	93
PID 3168 wrote to memory of 1400	3168	wscript.exe	93
PID 3168 wrote to memory of 4956	3168	wscript.exe	95
PID 3168 wrote to memory of 4956	3168	wscript.exe	95
PID 4956 wrote to memory of 4224	4956	cmd.exe	98
PID 4956 wrote to memory of 4224	4956	cmd.exe	98
PID 3168 wrote to memory of 5240	3168	wscript.exe	102
PID 3168 wrote to memory of 5240	3168	wscript.exe	102
PID 5240 wrote to memory of 4896	5240	cmd.exe	104
PID 5240 wrote to memory of 4896	5240	cmd.exe	104
PID 3168 wrote to memory of 428	3168	wscript.exe	108
PID 3168 wrote to memory of 428	3168	wscript.exe	108
PID 3168 wrote to memory of 3224	3168	wscript.exe	162
PID 3168 wrote to memory of 3224	3168	wscript.exe	162
PID 3168 wrote to memory of 2864	3168	wscript.exe	112
PID 3168 wrote to memory of 2864	3168	wscript.exe	112
PID 3168 wrote to memory of 1580	3168	wscript.exe	114
PID 3168 wrote to memory of 1580	3168	wscript.exe	114
PID 3168 wrote to memory of 5536	3168	wscript.exe	115
PID 3168 wrote to memory of 5536	3168	wscript.exe	115
PID 5536 wrote to memory of 5672	5536	wscript.exe	116
PID 5536 wrote to memory of 5672	5536	wscript.exe	116
PID 1580 wrote to memory of 3876	1580	wscript.exe	118
PID 1580 wrote to memory of 3876	1580	wscript.exe	118
PID 2864 wrote to memory of 5308	2864	cmd.exe	172
PID 2864 wrote to memory of 5308	2864	cmd.exe	172
PID 2864 wrote to memory of 2668	2864	cmd.exe	324
PID 2864 wrote to memory of 2668	2864	cmd.exe	324
PID 2864 wrote to memory of 1712	2864	cmd.exe	122
PID 2864 wrote to memory of 1712	2864	cmd.exe	122
PID 2864 wrote to memory of 684	2864	cmd.exe	123
PID 2864 wrote to memory of 684	2864	cmd.exe	123
PID 2864 wrote to memory of 5780	2864	cmd.exe	125
PID 2864 wrote to memory of 5780	2864	cmd.exe	125
PID 2864 wrote to memory of 5524	2864	cmd.exe	126
PID 2864 wrote to memory of 5524	2864	cmd.exe	126
PID 3876 wrote to memory of 5936	3876	wscript.exe	127
PID 3876 wrote to memory of 5936	3876	wscript.exe	127
PID 5936 wrote to memory of 2688	5936	wscript.exe	131
PID 5936 wrote to memory of 2688	5936	wscript.exe	131
PID 2688 wrote to memory of 5484	2688	wscript.exe	134
PID 2688 wrote to memory of 5484	2688	wscript.exe	134
PID 5536 wrote to memory of 1600	5536	wscript.exe	135
PID 5536 wrote to memory of 1600	5536	wscript.exe	135
PID 5484 wrote to memory of 4916	5484	wscript.exe	137
PID 5484 wrote to memory of 4916	5484	wscript.exe	137
PID 5536 wrote to memory of 2224	5536	wscript.exe	138
PID 5536 wrote to memory of 2224	5536	wscript.exe	138
PID 4916 wrote to memory of 2144	4916	wscript.exe	140
PID 4916 wrote to memory of 2144	4916	wscript.exe	140
PID 5536 wrote to memory of 760	5536	wscript.exe	141
PID 5536 wrote to memory of 760	5536	wscript.exe	141
PID 2144 wrote to memory of 1888	2144	wscript.exe	142
PID 2144 wrote to memory of 1888	2144	wscript.exe	142
PID 1888 wrote to memory of 2484	1888	wscript.exe	144
PID 1888 wrote to memory of 2484	1888	wscript.exe	144
PID 5536 wrote to memory of 2328	5536	wscript.exe	145
PID 5536 wrote to memory of 2328	5536	wscript.exe	145

System policy modification 1 TTPs 19 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5940
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs" /elevated
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
    3⤵
    PID:5180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com" disable
    3⤵
    PID:1400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5240
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4896
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:428
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:5308
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2668
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:1712
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:684
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:5780
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:5524
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5936
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        11⤵
        Checks computer location settings
        
        PID:2484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        Checks computer location settings
        
        PID:5876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        Checks computer location settings
        
        PID:5600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        Checks computer location settings
        
        PID:5560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        Checks computer location settings
        
        PID:4224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        Checks computer location settings
        
        PID:2020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        Checks computer location settings
        
        PID:5156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        Checks computer location settings
        
        PID:1064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        Checks computer location settings
        
        PID:5452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        
        PID:432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        Checks computer location settings
        
        PID:5532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        Checks computer location settings
        
        PID:1356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        Checks computer location settings
        
        PID:6472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        Checks computer location settings
        
        PID:6792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        Checks computer location settings
        
        PID:7024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        
        PID:5248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        
        PID:6280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        Checks computer location settings
        
        PID:6200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        Checks computer location settings
        
        PID:7112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        Checks computer location settings
        
        PID:8300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        Checks computer location settings
        
        PID:8568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        Checks computer location settings
        
        PID:8692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        Checks computer location settings
        
        PID:8780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        Checks computer location settings
        
        PID:8880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        Checks computer location settings
        
        PID:8996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        Checks computer location settings
        
        PID:9044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        Checks computer location settings
        
        PID:9092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        Checks computer location settings
        
        PID:9180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        Checks computer location settings
        
        PID:2668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        Checks computer location settings
        
        PID:4248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        Checks computer location settings
        
        PID:5700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        Checks computer location settings
        
        PID:6492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        Checks computer location settings
        
        PID:8276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        Checks computer location settings
        
        PID:6408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:7772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        Checks computer location settings
        
        PID:8596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        Checks computer location settings
        
        PID:8660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        Checks computer location settings
        
        PID:6776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        Checks computer location settings
        
        PID:8828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        Checks computer location settings
        
        PID:6208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        Checks computer location settings
        
        PID:8892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        Checks computer location settings
        
        PID:6724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        Checks computer location settings
        
        PID:8296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        Checks computer location settings
        
        PID:7116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        Checks computer location settings
        
        PID:8436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        Checks computer location settings
        
        PID:9260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        Checks computer location settings
        
        PID:9308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        Checks computer location settings
        
        PID:9364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        
        PID:10896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        Checks computer location settings
        
        PID:11012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        Checks computer location settings
        
        PID:11144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        Checks computer location settings
        
        PID:10732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        Checks computer location settings
        
        PID:11132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        Checks computer location settings
        
        PID:2032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        Checks computer location settings
        
        PID:11260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        Checks computer location settings
        
        PID:5508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        
        PID:5264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:11352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        
        PID:11444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        
        PID:11532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        
        PID:11632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        
        PID:11720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:11808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        
        PID:11908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        
        PID:12040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        
        PID:12180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        
        PID:12248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        
        PID:11276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        
        PID:11516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        
        PID:11940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        
        PID:2672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        
        PID:10848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        
        PID:11732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        
        PID:11768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        90⤵
        
        PID:11620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        91⤵
        
        PID:5232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        92⤵
        
        PID:11300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        93⤵
        
        PID:4292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        94⤵
        
        PID:11840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        95⤵
        
        PID:8496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        96⤵
        
        PID:12328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        97⤵
        
        PID:12384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        98⤵
        
        PID:12436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        99⤵
        
        PID:12488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        100⤵
        
        PID:12540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        101⤵
        
        PID:12592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        102⤵
        
        PID:12664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        103⤵
        
        PID:12716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        104⤵
        
        PID:12768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        105⤵
        
        PID:12824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        106⤵
        
        PID:12884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        107⤵
        
        PID:12936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        108⤵
        
        PID:13036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        109⤵
        
        PID:13092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        110⤵
        
        PID:13148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        111⤵
        
        PID:13200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        29⤵
        
        PID:2244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        29⤵
        
        PID:8472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        28⤵
        
        PID:6344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        27⤵
        
        PID:6300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        26⤵
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        26⤵
        
        PID:8640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        25⤵
        
        PID:6316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        24⤵
        
        PID:6896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        24⤵
        
        PID:8368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        23⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        23⤵
        
        PID:8396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        22⤵
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        21⤵
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        20⤵
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        19⤵
        
        PID:5320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        18⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2ac,0x348,0x7ff90f78f208,0x7ff90f78f214,0x7ff90f78f220
        19⤵
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=1944 /prefetch:3
        19⤵
        
        PID:4404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2020,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=2016 /prefetch:2
        19⤵
        
        PID:2016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2360,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:8
        19⤵
        
        PID:3020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
        19⤵
        
        PID:5236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        19⤵
        
        PID:2028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4852,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:1
        19⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5164,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
        19⤵
        
        PID:4740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5216,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
        19⤵
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5460,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:1
        19⤵
        
        PID:6752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5444,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:1
        19⤵
        
        PID:6300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5224,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:1
        19⤵
        
        PID:3540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5480,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1
        19⤵
        
        PID:6772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=3884,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
        19⤵
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=5400,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:1
        19⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5324,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1
        19⤵
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5364,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:1
        19⤵
        
        PID:3240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5388,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:1
        19⤵
        
        PID:6240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
        19⤵
        
        PID:184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4612,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
        19⤵
        
        PID:6252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7112,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7100 /prefetch:1
        19⤵
        
        PID:6180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7280,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:1
        19⤵
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5056,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
        19⤵
        
        PID:6116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7532,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7572 /prefetch:1
        19⤵
        
        PID:3652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7704,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7732 /prefetch:1
        19⤵
        
        PID:7336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7992,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8024 /prefetch:1
        19⤵
        
        PID:7524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=8160,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8152 /prefetch:1
        19⤵
        
        PID:7584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7916,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8288 /prefetch:1
        19⤵
        
        PID:7644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8428,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8264 /prefetch:1
        19⤵
        
        PID:7724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=8596,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8608 /prefetch:1
        19⤵
        
        PID:7756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=8628,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:1
        19⤵
        
        PID:7912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7928,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1
        19⤵
        
        PID:8012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=9004,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9028 /prefetch:1
        19⤵
        
        PID:8060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=8296,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9184 /prefetch:1
        19⤵
        
        PID:8080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=9356,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9344 /prefetch:1
        19⤵
        
        PID:8188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=9008,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9528 /prefetch:1
        19⤵
        
        PID:7680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=9564,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8600 /prefetch:1
        19⤵
        
        PID:6284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=8904,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=8460 /prefetch:1
        19⤵
        
        PID:9368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=5704,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9152 /prefetch:1
        19⤵
        
        PID:9376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6004,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9108 /prefetch:1
        19⤵
        
        PID:9384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=6032,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9112 /prefetch:1
        19⤵
        
        PID:9396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5680,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:1
        19⤵
        
        PID:9404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=5976,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:1
        19⤵
        
        PID:9412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=3696,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
        19⤵
        
        PID:9420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=5756,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7000 /prefetch:1
        19⤵
        
        PID:9428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=5720,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:1
        19⤵
        
        PID:9436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=5644,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:1
        19⤵
        
        PID:9448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=5660,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:1
        19⤵
        
        PID:9456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6136,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9552 /prefetch:1
        19⤵
        
        PID:9464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=6072,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=9028 /prefetch:1
        19⤵
        
        PID:9472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=3584,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:1
        19⤵
        
        PID:9480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=5572,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10112 /prefetch:1
        19⤵
        
        PID:9488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7176,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10132 /prefetch:1
        19⤵
        
        PID:9496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=9872,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10152 /prefetch:1
        19⤵
        
        PID:9504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=9908,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10172 /prefetch:1
        19⤵
        
        PID:9512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=9932,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10192 /prefetch:1
        19⤵
        
        PID:9520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=9976,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:1
        19⤵
        
        PID:9528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=10020,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:1
        19⤵
        
        PID:9536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=10040,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:1
        19⤵
        
        PID:9544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7436,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=10104 /prefetch:8
        19⤵
        
        PID:9552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5520,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:8
        19⤵
        
        PID:9560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6252,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7444 /prefetch:8
        19⤵
        
        PID:9568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=7352,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=11964 /prefetch:1
        19⤵
        
        PID:10916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=13248,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=13276 /prefetch:8
        19⤵
        Modifies registry class
        
        PID:10192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=13464,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=13424 /prefetch:8
        19⤵
        
        PID:11716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=688,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=13416 /prefetch:8
        19⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=13456,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=13404 /prefetch:8
        19⤵
        
        PID:8480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9044,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7880 /prefetch:8
        19⤵
        
        PID:7728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4112,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:2
        19⤵
        
        PID:11136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9044,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=7880 /prefetch:8
        19⤵
        
        PID:10572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11576,i,15132287691300290651,16774784418483986943,262144 --variations-seed-version --mojo-platform-channel-handle=11624 /prefetch:8
        19⤵
        
        PID:6296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        17⤵
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        17⤵
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        16⤵
        
        PID:6848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        15⤵
        
        PID:4884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        14⤵
        
        PID:3516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        13⤵
        
        PID:6728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        12⤵
        
        PID:7948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        11⤵
        
        PID:7872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        10⤵
        
        PID:6440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        9⤵
        
        PID:6252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        8⤵
        
        PID:7452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        7⤵
        
        PID:6292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        6⤵
        
        PID:5360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        5⤵
        
        PID:6752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time 00:00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
      4⤵
      PID:7608
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:760
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4908
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5208
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5308
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6048
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6572
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6164
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:7116
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:8892
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:10660
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:11080
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:11188
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:3820
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:3624
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:716
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:11408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:11568
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:11704
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:11868
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:12104
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:12284
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:11504
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:7628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:12076
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:11840
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:12036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:7628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:9424
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:9724
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:9456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:6372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:7824
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:12292
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:7972
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:11496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:780
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6316
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:8580
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:6608
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:7252
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:7280
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:12616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:12800
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:6248
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:8140
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:5424
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:9916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:10096
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:13140
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:13276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:7848
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:7340
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6440
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:7828
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:13016
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:8916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:7688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:7184
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:5208
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:7352
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:4968
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:11080
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:12628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:7592
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:4880
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:4552
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:4372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:2036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:5572
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:7132
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:12468
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:7076
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:8240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:8448
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:8420
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:9900
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:10096
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:13240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:12148
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:11192
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:7868
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:13016
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:7664
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:7688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:12164
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:7504
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:6728
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:12176
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:6784
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6204
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:7264
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:11080
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:7548
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:3484
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:12800
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:4548
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:1452
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:9372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:10564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:9436
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:1332
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7584
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:9176
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:2240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:11700
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:10172
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:9596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:2300
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:8548
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:4388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:9408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:9704
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:3464
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:10096
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:6192
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:9456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:11316
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:7648
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:7672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:6220
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:3836
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:12036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:13172
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:8124
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:7316
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:5540
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:4968
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:7276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:7188
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:12616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:6264
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:7064
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:4852
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:11240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:5996
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:5080
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:7728
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:10564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:13284
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:8480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:2036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:3996
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:3524
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:8792
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:748
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:6736
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:4688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:8508
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:8656
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:8756
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:11960
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:4524
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:2072
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:8940
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:8448
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:12276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:7844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:6428
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:9456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:7668
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:6168
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:5944
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:11780
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:11108
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:10228
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:13136
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:7424
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:9128
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:5208
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:7312
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:12152
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:12192
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:7440
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:8380
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:4908
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:5996
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:6568
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:9436
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:11380
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:292
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:8972
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:3560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:10804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:5736
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:1784
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:6032
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:1772
- - C:\Windows\pei.exe
    "C:\Windows\pei.exe"
    3⤵
    PID:7396
  - - C:\Users\Admin\AppData\Local\Temp\2899723278.exe
      C:\Users\Admin\AppData\Local\Temp\2899723278.exe
      4⤵
      PID:7760
    - - C:\Windows\sysldrvcs.exe
        
        C:\Windows\sysldrvcs.exe
        5⤵
        
        PID:8160
      - C:\Users\Admin\AppData\Local\Temp\2056027289.exe
        
        C:\Users\Admin\AppData\Local\Temp\2056027289.exe
        6⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\153312276.exe
        
        C:\Users\Admin\AppData\Local\Temp\153312276.exe
        7⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\276567879.exe
        
        C:\Users\Admin\AppData\Local\Temp\276567879.exe
        7⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\2899833645.exe
        
        C:\Users\Admin\AppData\Local\Temp\2899833645.exe
        7⤵
        
        PID:5340
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:12124
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "MgrDrvSvc" binpath= "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:7576
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:8144
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\2991119522.exe
        
        C:\Users\Admin\AppData\Local\Temp\2991119522.exe
        6⤵
        
        PID:8588
      - C:\Users\Admin\AppData\Local\Temp\669419084.exe
        
        C:\Users\Admin\AppData\Local\Temp\669419084.exe
        6⤵
        
        PID:9188
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    PID:3816
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\AddFind.otf.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8084
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CheckpointSplit.tmp.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:12364
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CompressPop.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8408
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ConvertFromConvertTo.vb.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:13004
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CopyReceive.bmp.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3500
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DebugRead.wps.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3480
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableLimit.wmv.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:11292
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ExportShow.tif.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:9424
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\FindUnregister.xltx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5456
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\InvokeOut.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:10576
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Microsoft Edge.lnk.lcryx
    3⤵
    PID:9732
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\MoveApprove.aif.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:10000
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\OpenPublish.ps1.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:9476
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ResizeResolve.M2V.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:12600
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RestoreInvoke.m4v.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:12976
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RevokeRegister.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:13100
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\SearchConfirm.rtf.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:9832
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\SelectStart.vb.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:10028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c 0x2fc
1⤵
PID:7708

C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
1⤵
PID:5692
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6096
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:10660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery