phorphiex | 8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs"	wscript.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000024356-530.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 5 IoCs

flow	pid	Process
9	1892	wscript.exe
16	1892	wscript.exe
20	1892	wscript.exe
31	1892	wscript.exe
145	1892	wscript.exe

Blocks application from running via registry modification 14 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4948	wbadmin.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-VirusScript = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Updater = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4044	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File created	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File opened for modification	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\advapi32_ext.vbs	wscript.exe
File opened for modification	C:\Windows\advapi32_ext.vbs	wscript.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
13712	sc.exe
16084	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4612	vssadmin.exe

Kills process with taskkill 64 IoCs

pid	Process
13096	taskkill.exe
13500	taskkill.exe
14536	taskkill.exe
2624	taskkill.exe
14920	taskkill.exe
19932	taskkill.exe
11896	taskkill.exe
4860	taskkill.exe
3976	taskkill.exe
12512	taskkill.exe
20180	taskkill.exe
20228	taskkill.exe
5840	taskkill.exe
11412	taskkill.exe
11856	taskkill.exe
18520	taskkill.exe
1164	taskkill.exe
7384	taskkill.exe
11988	taskkill.exe
14092	taskkill.exe
13748	taskkill.exe
11580	taskkill.exe
11924	taskkill.exe
17244	taskkill.exe
18984	taskkill.exe
4268	taskkill.exe
13136	taskkill.exe
4860	taskkill.exe
276	taskkill.exe
12672	taskkill.exe
14904	taskkill.exe
16604	taskkill.exe
18144	taskkill.exe
3808	taskkill.exe
5388	taskkill.exe
8884	taskkill.exe
3224	taskkill.exe
9596	taskkill.exe
13500	taskkill.exe
19560	taskkill.exe
14244	taskkill.exe
9048	taskkill.exe
8824	taskkill.exe
9304	taskkill.exe
12628	taskkill.exe
19748	taskkill.exe
4308	taskkill.exe
5264	taskkill.exe
7484	taskkill.exe
16736	taskkill.exe
292	taskkill.exe
5140	taskkill.exe
16992	taskkill.exe
18160	taskkill.exe
20456	taskkill.exe
9476	taskkill.exe
18396	taskkill.exe
17356	taskkill.exe
12244	taskkill.exe
12792	taskkill.exe
14396	taskkill.exe
14672	taskkill.exe
16424	taskkill.exe
18268	taskkill.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Mouse	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop	wscript.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870752156700541"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{73D364EF-8144-40DD-BE9F-3B840D9FF3D1}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{8555D760-220C-46A5-ACD9-30F4AD73401C}	msedge.exe

Opens file in notepad (likely ransom note) 3 IoCs

pid	Process
4988	notepad.exe
19948	notepad.exe
18012	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4044	powershell.exe
4044	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5708	wscript.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeBackupPrivilege	6112	vssvc.exe
Token: SeRestorePrivilege	6112	vssvc.exe
Token: SeAuditPrivilege	6112	vssvc.exe
Token: SeBackupPrivilege	3388	wbengine.exe
Token: SeRestorePrivilege	3388	wbengine.exe
Token: SeSecurityPrivilege	3388	wbengine.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	3548	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	5400	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	5616	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5496	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	5980	taskkill.exe
Token: SeSystemtimePrivilege	3516	cmd.exe
Token: SeSystemtimePrivilege	3516	cmd.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	5264	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	6356	taskkill.exe
Token: SeDebugPrivilege	7140	taskkill.exe
Token: SeDebugPrivilege	7388	taskkill.exe
Token: 33	7196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	7196	AUDIODG.EXE
Token: SeDebugPrivilege	7484	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	7384	taskkill.exe
Token: SeDebugPrivilege	8276	taskkill.exe
Token: SeDebugPrivilege	8568	taskkill.exe
Token: SeDebugPrivilege	8744	taskkill.exe
Token: SeDebugPrivilege	8884	taskkill.exe
Token: SeDebugPrivilege	9048	taskkill.exe
Token: SeDebugPrivilege	9172	taskkill.exe
Token: SeDebugPrivilege	8328	taskkill.exe
Token: SeDebugPrivilege	8824	taskkill.exe
Token: SeDebugPrivilege	9144	taskkill.exe
Token: SeDebugPrivilege	8536	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	9332	taskkill.exe
Token: SeDebugPrivilege	9476	taskkill.exe
Token: SeDebugPrivilege	11412	taskkill.exe
Token: SeDebugPrivilege	11580	taskkill.exe
Token: SeDebugPrivilege	11716	taskkill.exe
Token: SeDebugPrivilege	11856	taskkill.exe
Token: SeDebugPrivilege	11984	taskkill.exe
Token: SeDebugPrivilege	12132	taskkill.exe
Token: SeDebugPrivilege	12244	taskkill.exe
Token: SeDebugPrivilege	11620	taskkill.exe
Token: SeDebugPrivilege	11924	taskkill.exe
Token: SeDebugPrivilege	11384	taskkill.exe
Token: SeDebugPrivilege	11896	taskkill.exe
Token: SeDebugPrivilege	11988	taskkill.exe
Token: SeDebugPrivilege	12384	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3300	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5772	Calculator.exe
5772	Calculator.exe
5772	Calculator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1892	2828	WScript.exe	86
PID 2828 wrote to memory of 1892	2828	WScript.exe	86
PID 1892 wrote to memory of 4044	1892	wscript.exe	87
PID 1892 wrote to memory of 4044	1892	wscript.exe	87
PID 1892 wrote to memory of 1984	1892	wscript.exe	89
PID 1892 wrote to memory of 1984	1892	wscript.exe	89
PID 1892 wrote to memory of 1564	1892	wscript.exe	91
PID 1892 wrote to memory of 1564	1892	wscript.exe	91
PID 1892 wrote to memory of 3324	1892	wscript.exe	93
PID 1892 wrote to memory of 3324	1892	wscript.exe	93
PID 3324 wrote to memory of 4612	3324	cmd.exe	95
PID 3324 wrote to memory of 4612	3324	cmd.exe	95
PID 1892 wrote to memory of 4764	1892	wscript.exe	99
PID 1892 wrote to memory of 4764	1892	wscript.exe	99
PID 4764 wrote to memory of 4948	4764	cmd.exe	101
PID 4764 wrote to memory of 4948	4764	cmd.exe	101
PID 1892 wrote to memory of 4988	1892	wscript.exe	106
PID 1892 wrote to memory of 4988	1892	wscript.exe	106
PID 1892 wrote to memory of 2196	1892	wscript.exe	110
PID 1892 wrote to memory of 2196	1892	wscript.exe	110
PID 1892 wrote to memory of 5820	1892	wscript.exe	113
PID 1892 wrote to memory of 5820	1892	wscript.exe	113
PID 1892 wrote to memory of 2964	1892	wscript.exe	115
PID 1892 wrote to memory of 2964	1892	wscript.exe	115
PID 1892 wrote to memory of 5708	1892	wscript.exe	116
PID 1892 wrote to memory of 5708	1892	wscript.exe	116
PID 5708 wrote to memory of 4308	5708	wscript.exe	162
PID 5708 wrote to memory of 4308	5708	wscript.exe	162
PID 2964 wrote to memory of 1068	2964	wscript.exe	119
PID 2964 wrote to memory of 1068	2964	wscript.exe	119
PID 5820 wrote to memory of 3384	5820	cmd.exe	120
PID 5820 wrote to memory of 3384	5820	cmd.exe	120
PID 5820 wrote to memory of 3732	5820	cmd.exe	121
PID 5820 wrote to memory of 3732	5820	cmd.exe	121
PID 5820 wrote to memory of 5652	5820	cmd.exe	122
PID 5820 wrote to memory of 5652	5820	cmd.exe	122
PID 5820 wrote to memory of 5764	5820	cmd.exe	123
PID 5820 wrote to memory of 5764	5820	cmd.exe	123
PID 5820 wrote to memory of 5388	5820	cmd.exe	126
PID 5820 wrote to memory of 5388	5820	cmd.exe	126
PID 5820 wrote to memory of 3476	5820	cmd.exe	127
PID 5820 wrote to memory of 3476	5820	cmd.exe	127
PID 1068 wrote to memory of 5260	1068	wscript.exe	129
PID 1068 wrote to memory of 5260	1068	wscript.exe	129
PID 5260 wrote to memory of 4040	5260	wscript.exe	131
PID 5260 wrote to memory of 4040	5260	wscript.exe	131
PID 5708 wrote to memory of 3548	5708	wscript.exe	132
PID 5708 wrote to memory of 3548	5708	wscript.exe	132
PID 4040 wrote to memory of 5872	4040	wscript.exe	134
PID 4040 wrote to memory of 5872	4040	wscript.exe	134
PID 5872 wrote to memory of 4576	5872	wscript.exe	137
PID 5872 wrote to memory of 4576	5872	wscript.exe	137
PID 5708 wrote to memory of 4896	5708	wscript.exe	138
PID 5708 wrote to memory of 4896	5708	wscript.exe	138
PID 4576 wrote to memory of 224	4576	wscript.exe	140
PID 4576 wrote to memory of 224	4576	wscript.exe	140
PID 5708 wrote to memory of 5452	5708	wscript.exe	141
PID 5708 wrote to memory of 5452	5708	wscript.exe	141
PID 224 wrote to memory of 4544	224	wscript.exe	143
PID 224 wrote to memory of 4544	224	wscript.exe	143
PID 4544 wrote to memory of 5568	4544	wscript.exe	145
PID 4544 wrote to memory of 5568	4544	wscript.exe	145
PID 5708 wrote to memory of 5400	5708	wscript.exe	146
PID 5708 wrote to memory of 5400	5708	wscript.exe	146

System policy modification 1 TTPs 19 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs" /elevated
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
    3⤵
    PID:1984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com" disable
    3⤵
    PID:1564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4948
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4988
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5820
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3384
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:3732
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5652
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:5764
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5388
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:3476
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5260
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        11⤵
        
        PID:5568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        
        PID:5532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        Checks computer location settings
        
        PID:2336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        
        PID:1392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        Checks computer location settings
        
        PID:1860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        Checks computer location settings
        
        PID:936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        Checks computer location settings
        
        PID:5900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        
        PID:808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        
        PID:4148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        
        PID:3880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        
        PID:5352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        Checks computer location settings
        
        PID:5136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        Checks computer location settings
        
        PID:3040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        
        PID:3964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        Checks computer location settings
        
        PID:1264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        
        PID:2480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        Checks computer location settings
        
        PID:744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        Checks computer location settings
        
        PID:2424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        
        PID:6148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        
        PID:6348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        Checks computer location settings
        
        PID:6976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        Checks computer location settings
        
        PID:1708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        Checks computer location settings
        
        PID:6628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        
        PID:7084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        
        PID:2252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        
        PID:7180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        
        PID:7264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        
        PID:7312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        Checks computer location settings
        
        PID:7496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        
        PID:7564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        Checks computer location settings
        
        PID:7860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        
        PID:7932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        
        PID:7984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        
        PID:7768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        Checks computer location settings
        
        PID:7840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        Checks computer location settings
        
        PID:8004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:7200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        
        PID:7660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        
        PID:7704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        Checks computer location settings
        
        PID:7012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        Checks computer location settings
        
        PID:7656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        Checks computer location settings
        
        PID:7780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        Checks computer location settings
        
        PID:8220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        
        PID:8312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        Checks computer location settings
        
        PID:8604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        Checks computer location settings
        
        PID:8696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        
        PID:8812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        
        PID:8900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        
        PID:8992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        
        PID:9076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        Checks computer location settings
        
        PID:9152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        
        PID:1352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        Checks computer location settings
        
        PID:8308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        
        PID:8640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        
        PID:8888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        
        PID:9184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        
        PID:7004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        Checks computer location settings
        
        PID:8960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        
        PID:5128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        Checks computer location settings
        
        PID:8808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:6880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        Checks computer location settings
        
        PID:9280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        
        PID:9360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        Checks computer location settings
        
        PID:9436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        Checks computer location settings
        
        PID:9532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:9600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        
        PID:9668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        
        PID:9716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        Checks computer location settings
        
        PID:9768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        Checks computer location settings
        
        PID:9824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        Checks computer location settings
        
        PID:9872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        Checks computer location settings
        
        PID:9924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        
        PID:9984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        Checks computer location settings
        
        PID:10064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        Checks computer location settings
        
        PID:10124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        Checks computer location settings
        
        PID:10196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        Checks computer location settings
        
        PID:9112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        90⤵
        
        PID:9272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        91⤵
        Checks computer location settings
        
        PID:9024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        92⤵
        
        PID:9400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        93⤵
        Checks computer location settings
        
        PID:9540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        94⤵
        
        PID:9652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        95⤵
        
        PID:10012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        96⤵
        Checks computer location settings
        
        PID:10228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        97⤵
        
        PID:8600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        98⤵
        
        PID:10372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        99⤵
        
        PID:10456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        100⤵
        
        PID:10544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        101⤵
        
        PID:10604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        102⤵
        
        PID:10672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        103⤵
        Checks computer location settings
        
        PID:10752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        104⤵
        Checks computer location settings
        
        PID:10804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        105⤵
        Checks computer location settings
        
        PID:10860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        106⤵
        
        PID:10960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        107⤵
        Checks computer location settings
        
        PID:11040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        108⤵
        
        PID:11100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        109⤵
        
        PID:11156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        110⤵
        
        PID:11208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        111⤵
        Checks computer location settings
        
        PID:11260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        112⤵
        
        PID:10284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        113⤵
        Checks computer location settings
        
        PID:10624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        114⤵
        Checks computer location settings
        
        PID:10704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        115⤵
        
        PID:10948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        116⤵
        Checks computer location settings
        
        PID:11064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        117⤵
        
        PID:11268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        118⤵
        
        PID:11316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        119⤵
        
        PID:11368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        120⤵
        
        PID:11456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        121⤵
        Checks computer location settings
        
        PID:11524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        122⤵
        
        PID:11608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        123⤵
        Checks computer location settings
        
        PID:11684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        124⤵
        Checks computer location settings
        
        PID:11796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        125⤵
        Checks computer location settings
        
        PID:11900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        126⤵
        
        PID:11968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        127⤵
        Checks computer location settings
        
        PID:12076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        128⤵
        
        PID:12176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        129⤵
        Checks computer location settings
        
        PID:12252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        130⤵
        Checks computer location settings
        
        PID:11452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        131⤵
        
        PID:11660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        132⤵
        
        PID:11736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        133⤵
        
        PID:12064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        134⤵
        Checks computer location settings
        
        PID:12136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        135⤵
        Checks computer location settings
        
        PID:12272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        136⤵
        
        PID:11580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        137⤵
        
        PID:11744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        138⤵
        
        PID:11964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        139⤵
        
        PID:12332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        140⤵
        Checks computer location settings
        
        PID:12420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        141⤵
        
        PID:12496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        142⤵
        
        PID:12592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        143⤵
        
        PID:12656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        144⤵
        
        PID:12760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        145⤵
        
        PID:12868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        146⤵
        
        PID:12944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        147⤵
        
        PID:13080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        148⤵
        
        PID:13192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        149⤵
        
        PID:13244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        150⤵
        
        PID:13304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        151⤵
        
        PID:11988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        152⤵
        
        PID:12524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        153⤵
        
        PID:12520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        154⤵
        
        PID:12740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        155⤵
        
        PID:12892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        156⤵
        
        PID:12908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        157⤵
        
        PID:13052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        158⤵
        
        PID:13140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        159⤵
        
        PID:13108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        160⤵
        
        PID:12404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        161⤵
        
        PID:13000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        162⤵
        
        PID:13344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        163⤵
        
        PID:13408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        164⤵
        
        PID:13460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        165⤵
        
        PID:13548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        166⤵
        
        PID:13596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        167⤵
        
        PID:13652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        168⤵
        
        PID:13704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        169⤵
        
        PID:13752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        170⤵
        
        PID:13800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        171⤵
        
        PID:13852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        172⤵
        
        PID:13900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        173⤵
        
        PID:13948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        174⤵
        
        PID:14000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        175⤵
        
        PID:14128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        176⤵
        
        PID:14180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        177⤵
        
        PID:14236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        178⤵
        
        PID:14320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        179⤵
        
        PID:2112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        180⤵
        
        PID:14024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        181⤵
        
        PID:10312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        182⤵
        
        PID:10744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        183⤵
        
        PID:5308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        184⤵
        
        PID:14104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        185⤵
        
        PID:14100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        186⤵
        
        PID:12408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        187⤵
        
        PID:13480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        188⤵
        
        PID:5996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        189⤵
        
        PID:14364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        190⤵
        
        PID:14472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        191⤵
        
        PID:14528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        192⤵
        
        PID:14640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        193⤵
        
        PID:14756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        194⤵
        
        PID:14844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        195⤵
        
        PID:15060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        196⤵
        
        PID:15200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        197⤵
        
        PID:15268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        198⤵
        
        PID:6128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        199⤵
        
        PID:4864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        200⤵
        
        PID:14548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        201⤵
        
        PID:14544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        202⤵
        
        PID:14680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        203⤵
        
        PID:14816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        204⤵
        
        PID:6748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        205⤵
        
        PID:15152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        206⤵
        
        PID:15312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        207⤵
        
        PID:5152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        208⤵
        
        PID:14736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        209⤵
        
        PID:7260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        210⤵
        
        PID:14868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        211⤵
        
        PID:15172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        212⤵
        
        PID:15316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        213⤵
        
        PID:14900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        214⤵
        
        PID:14568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        215⤵
        
        PID:15008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        216⤵
        
        PID:15380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        217⤵
        
        PID:15432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        218⤵
        
        PID:15480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        219⤵
        
        PID:15536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        220⤵
        
        PID:15588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        221⤵
        
        PID:15640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        222⤵
        
        PID:15692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        223⤵
        
        PID:15744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        224⤵
        
        PID:15792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        225⤵
        
        PID:15844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        226⤵
        
        PID:15896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        227⤵
        
        PID:15952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        228⤵
        
        PID:16004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        229⤵
        
        PID:16056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        230⤵
        
        PID:16108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        231⤵
        
        PID:16160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        232⤵
        
        PID:16228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        233⤵
        
        PID:16280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        234⤵
        
        PID:16344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        235⤵
        
        PID:7892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        236⤵
        
        PID:15820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        237⤵
        
        PID:4316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        238⤵
        
        PID:5868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        239⤵
        
        PID:8976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        240⤵
        
        PID:8756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        241⤵
        
        PID:9016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        242⤵
        
        PID:14684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        243⤵
        
        PID:280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        244⤵
        
        PID:9504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        245⤵
        
        PID:9712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        246⤵
        
        PID:16476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        247⤵
        
        PID:16548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        248⤵
        
        PID:16644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        249⤵
        
        PID:16716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        250⤵
        
        PID:16828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        251⤵
        
        PID:16936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        252⤵
        
        PID:17032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        253⤵
        
        PID:17116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        254⤵
        
        PID:17220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        255⤵
        
        PID:17320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        256⤵
        
        PID:17384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        257⤵
        
        PID:16416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        258⤵
        
        PID:16424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        259⤵
        
        PID:10192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        260⤵
        
        PID:16932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        261⤵
        
        PID:17048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        262⤵
        
        PID:17208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        263⤵
        
        PID:17328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        264⤵
        
        PID:17400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        265⤵
        
        PID:16512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        266⤵
        
        PID:16460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        267⤵
        
        PID:8400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        268⤵
        
        PID:11232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        269⤵
        
        PID:10528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        270⤵
        
        PID:9644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        271⤵
        
        PID:17128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        272⤵
        
        PID:9896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        273⤵
        
        PID:10732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        274⤵
        
        PID:11852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        275⤵
        
        PID:12236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        276⤵
        
        PID:11656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        277⤵
        
        PID:11884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        278⤵
        
        PID:6892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        279⤵
        
        PID:17424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        280⤵
        
        PID:17480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        281⤵
        
        PID:17532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        282⤵
        
        PID:17584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        283⤵
        
        PID:17636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        284⤵
        
        PID:17724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        285⤵
        
        PID:17776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        286⤵
        
        PID:17832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        287⤵
        
        PID:17884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        288⤵
        
        PID:17932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        289⤵
        
        PID:18024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        290⤵
        
        PID:18096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        291⤵
        
        PID:18216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        292⤵
        
        PID:18304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        293⤵
        
        PID:18380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        294⤵
        
        PID:17612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        295⤵
        
        PID:17440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        296⤵
        
        PID:13276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        297⤵
        
        PID:18108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        298⤵
        
        PID:18172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        299⤵
        
        PID:5880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        300⤵
        
        PID:12984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        301⤵
        
        PID:12788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        302⤵
        
        PID:9476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        303⤵
        
        PID:18208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        304⤵
        
        PID:18352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        305⤵
        
        PID:13896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        306⤵
        
        PID:12628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        307⤵
        
        PID:17992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        308⤵
        
        PID:14260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        309⤵
        
        PID:18264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        310⤵
        
        PID:13648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        311⤵
        
        PID:4840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        312⤵
        
        PID:2272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        313⤵
        
        PID:4164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        314⤵
        
        PID:6036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        315⤵
        
        PID:18072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        316⤵
        
        PID:3220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        317⤵
        
        PID:5756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        318⤵
        
        PID:6172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        319⤵
        
        PID:18512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        320⤵
        
        PID:18608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        321⤵
        
        PID:18728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        322⤵
        
        PID:18784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        323⤵
        
        PID:18836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        324⤵
        
        PID:18888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        325⤵
        
        PID:18996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        326⤵
        
        PID:19104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        327⤵
        
        PID:19212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        328⤵
        
        PID:19264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        329⤵
        
        PID:19352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        330⤵
        
        PID:19416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        331⤵
        
        PID:4704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        332⤵
        
        PID:15124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        333⤵
        
        PID:18676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        334⤵
        
        PID:3292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        335⤵
        
        PID:18520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        336⤵
        
        PID:10364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        337⤵
        
        PID:6372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        338⤵
        
        PID:7532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        339⤵
        
        PID:14924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        340⤵
        
        PID:14356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        341⤵
        
        PID:14904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        342⤵
        
        PID:7956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        343⤵
        
        PID:15584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        344⤵
        
        PID:7680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        345⤵
        
        PID:19480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        346⤵
        
        PID:19576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        347⤵
        
        PID:19716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        348⤵
        
        PID:19868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        349⤵
        
        PID:19940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        350⤵
        
        PID:20056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        351⤵
        
        PID:20148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        352⤵
        
        PID:20208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        353⤵
        
        PID:20340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        354⤵
        
        PID:20412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        355⤵
        
        PID:7696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        356⤵
        
        PID:8320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        357⤵
        
        PID:19588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        358⤵
        
        PID:19728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        359⤵
        
        PID:5548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        360⤵
        
        PID:19700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        361⤵
        
        PID:19896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        362⤵
        
        PID:4320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        363⤵
        
        PID:3332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        364⤵
        
        PID:20072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        365⤵
        
        PID:8840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        366⤵
        
        PID:20332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        367⤵
        
        PID:5684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        368⤵
        
        PID:9380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        369⤵
        
        PID:9732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        370⤵
        
        PID:5224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        371⤵
        
        PID:19688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        372⤵
        
        PID:19648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        373⤵
        
        PID:10504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        374⤵
        
        PID:19928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        375⤵
        
        PID:10552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        376⤵
        
        PID:5720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        377⤵
        
        PID:11052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        378⤵
        
        PID:10140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        379⤵
        
        PID:16872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        380⤵
        
        PID:11464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        381⤵
        
        PID:20444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        382⤵
        
        PID:16808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        383⤵
        
        PID:16616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        384⤵
        
        PID:12188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        385⤵
        
        PID:17020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        386⤵
        
        PID:12068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        387⤵
        
        PID:12152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        388⤵
        
        PID:11876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        389⤵
        
        PID:12340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        390⤵
        
        PID:19712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        391⤵
        
        PID:8180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        392⤵
        
        PID:19844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        393⤵
        
        PID:12768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        394⤵
        
        PID:17908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        395⤵
        
        PID:1124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        396⤵
        
        PID:12700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        397⤵
        
        PID:18372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        398⤵
        
        PID:11216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        399⤵
        
        PID:18000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        400⤵
        
        PID:18148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        26⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x31c,0x7ff8ce8ef208,0x7ff8ce8ef214,0x7ff8ce8ef220
        27⤵
        
        PID:6200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1696,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:3
        27⤵
        
        PID:6532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2240,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=2452 /prefetch:8
        27⤵
        
        PID:6560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2224,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
        27⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        27⤵
        
        PID:6868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        27⤵
        
        PID:6876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4800,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:1
        27⤵
        
        PID:6952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5112,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        27⤵
        
        PID:7352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5252,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:8
        27⤵
        Modifies registry class
        
        PID:8076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5148,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
        27⤵
        
        PID:8072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3628,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=3788 /prefetch:8
        27⤵
        
        PID:8368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5236,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8
        27⤵
        
        PID:8376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:8
        27⤵
        
        PID:8496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
        27⤵
        
        PID:10336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
        27⤵
        
        PID:10356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6568,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:8
        27⤵
        
        PID:14884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:8
        27⤵
        
        PID:14892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6580,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8
        27⤵
        
        PID:14900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3768,i,1666103069741420946,4849242601979120583,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
        27⤵
        
        PID:4708
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbs
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:5708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3548
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5452
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5400
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3656
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5840
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5980
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5264
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6356
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7140
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7484
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8568
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:8884
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:9048
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9172
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8328
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:8824
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9144
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9332
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:9476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11412
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11580
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11716
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11984
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:12132
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:12244
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11620
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11924
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11896
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11988
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:12384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:12512
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:12672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:12792
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:12936
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:13096
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:13500
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:14092
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:12408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:13500
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:12456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:4188
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:14396
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:14536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:14672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:14808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:15108
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:15312
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:5152
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:14536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:14904
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:14920
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:15156
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:4812
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:3224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:8344
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:8784
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:5140
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:8688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:9304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:16424
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:16604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:16736
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:16864
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:16992
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:17108
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:17268
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:9596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:16440
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:16844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:17040
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:17244
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:17988
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:18144
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:18268
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:18396
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:9476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:18032
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:18160
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:12628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:18128
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:13748
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:18420
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:2256
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:3808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:14208
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:1880
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:2624
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:5388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:18520
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:18984
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:15716
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:19560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:19708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:19932
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:20224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:20456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:19648
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:19748
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:4268
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:3976
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:20180
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:20228
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:8492
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:9332
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:17356
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:11216
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:16188
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:13136
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:7404
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:3604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:14244
- - C:\Windows\pei.exe
    "C:\Windows\pei.exe"
    3⤵
    PID:16812
  - - C:\Users\Admin\AppData\Local\Temp\2264811766.exe
      C:\Users\Admin\AppData\Local\Temp\2264811766.exe
      4⤵
      PID:10648
    - - C:\Windows\sysldrvcs.exe
        
        C:\Windows\sysldrvcs.exe
        5⤵
        
        PID:17660
      - C:\Users\Admin\AppData\Local\Temp\875316084.exe
        
        C:\Users\Admin\AppData\Local\Temp\875316084.exe
        6⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\89031325.exe
        
        C:\Users\Admin\AppData\Local\Temp\89031325.exe
        7⤵
        
        PID:20092
        
        C:\Users\Admin\AppData\Local\Temp\746427757.exe
        
        C:\Users\Admin\AppData\Local\Temp\746427757.exe
        7⤵
        
        PID:11328
        
        C:\Users\Admin\AppData\Local\Temp\564818971.exe
        
        C:\Users\Admin\AppData\Local\Temp\564818971.exe
        7⤵
        
        PID:13260
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:13712
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:16084
      - C:\Users\Admin\AppData\Local\Temp\155548774.exe
        
        C:\Users\Admin\AppData\Local\Temp\155548774.exe
        6⤵
        
        PID:19692
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    PID:19692
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CheckpointTest.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:19948
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\WatchExit.docx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:18012
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\chrome_installer.log.lcryx
    3⤵
    PID:14188
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\ga.txt.lcryx
    3⤵
    PID:17632
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\hr.txt.lcryx
    3⤵
    PID:13524
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\kaa.txt.lcryx
    3⤵
    PID:3668
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\ku.txt.lcryx
    3⤵
    PID:15068
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\th.txt.lcryx
    3⤵
    PID:19740
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\7-Zip\Lang\tr.txt.lcryx
    3⤵
    PID:18828
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.lcryx
    3⤵
    PID:14820
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.lcryx
    3⤵
    PID:15168
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.lcryx
    3⤵
    PID:20048
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.lcryx
    3⤵
    PID:12720
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.lcryx
    3⤵
    PID:15340
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.lcryx
    3⤵
    PID:18680
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.lcryx
    3⤵
    PID:15456
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.lcryx
    3⤵
    PID:13716
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\ThirdPartyNotices.txt.lcryx
    3⤵
    PID:18980
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.lcryx
    3⤵
    PID:10428
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.lcryx
    3⤵
    PID:12752
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.lcryx
    3⤵
    PID:15444
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.lcryx
    3⤵
    PID:20300
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.lcryx
    3⤵
    PID:15488
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.lcryx
    3⤵
    PID:784
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.lcryx
    3⤵
    PID:6068
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.lcryx
    3⤵
    PID:3940
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.lcryx
    3⤵
    PID:6204
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.lcryx
    3⤵
    PID:5864
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.lcryx
    3⤵
    PID:3100
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.lcryx
    3⤵
    PID:19192
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.lcryx
    3⤵
    PID:14372
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.lcryx
    3⤵
    PID:17824
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.lcryx
    3⤵
    PID:11920
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.lcryx
    3⤵
    PID:12060
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.lcryx
    3⤵
    PID:18724
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.lcryx
    3⤵
    PID:19520
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.lcryx
    3⤵
    PID:18780
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.lcryx
    3⤵
    PID:18932
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.lcryx
    3⤵
    PID:19260
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.lcryx
    3⤵
    PID:7348
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.lcryx
    3⤵
    PID:4060
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.lcryx
    3⤵
    PID:4056
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.lcryx
    3⤵
    PID:18664
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.lcryx
    3⤵
    PID:20108
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.lcryx
    3⤵
    PID:20136
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.lcryx
    3⤵
    PID:12388
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.lcryx
    3⤵
    PID:20408
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.lcryx
    3⤵
    PID:3364
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.lcryx
    3⤵
    PID:8740
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.lcryx
    3⤵
    PID:16556
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.lcryx
    3⤵
    PID:16664
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.lcryx
    3⤵
    PID:6256
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.lcryx
    3⤵
    PID:13760
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.lcryx
    3⤵
    PID:3604
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.lcryx
    3⤵
    PID:19804
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.lcryx
    3⤵
    PID:6048
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.lcryx
    3⤵
    PID:17232
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.lcryx
    3⤵
    PID:13256
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.lcryx
    3⤵
    PID:16456
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.lcryx
    3⤵
    PID:1920
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.lcryx
    3⤵
    PID:20312
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.lcryx
    3⤵
    PID:17140
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.lcryx
    3⤵
    PID:17316
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.lcryx
    3⤵
    PID:9764
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.lcryx
    3⤵
    PID:3196
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.lcryx
    3⤵
    PID:9524
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.lcryx
    3⤵
    PID:14864
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.lcryx
    3⤵
    PID:18484
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.lcryx
    3⤵
    PID:16804
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.lcryx
    3⤵
    PID:12164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3160

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6888

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery