phorphiex | 12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs"	wscript.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000024505-1268.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral2/memory/7796-1351-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/7796-1352-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/7796-1354-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/7796-1359-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1381-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1382-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1380-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1379-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1378-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5824-1383-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1451-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1452-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1450-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1449-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1453-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1454-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/10648-1455-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
12	5572	wscript.exe
16	5572	wscript.exe
18	5572	wscript.exe
31	5572	wscript.exe
154	5572	wscript.exe
198	5572	wscript.exe

Blocks application from running via registry modification 14 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4688	wbadmin.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs"	wscript.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Updater = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-VirusScript = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1408	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File created	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File opened for modification	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/7796-1347-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1351-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1352-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1349-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1350-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1348-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1354-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1346-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/7796-1359-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1381-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1382-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1380-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1379-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1378-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5824-1383-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1451-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1452-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1450-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1449-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1453-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1454-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/10648-1455-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\advapi32_ext.vbs	wscript.exe
File opened for modification	C:\Windows\advapi32_ext.vbs	wscript.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4544	sc.exe
11888	sc.exe
7144	sc.exe
7688	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1708	vssadmin.exe

Kills process with taskkill 56 IoCs

pid	Process
9380	taskkill.exe
8376	taskkill.exe
2248	taskkill.exe
5308	taskkill.exe
4472	taskkill.exe
11928	taskkill.exe
9996	taskkill.exe
10144	taskkill.exe
6776	taskkill.exe
10496	taskkill.exe
10664	taskkill.exe
12900	taskkill.exe
9424	taskkill.exe
2892	taskkill.exe
1640	taskkill.exe
304	taskkill.exe
9288	taskkill.exe
5216	taskkill.exe
11676	taskkill.exe
11928	taskkill.exe
12328	taskkill.exe
4968	taskkill.exe
3496	taskkill.exe
9132	taskkill.exe
9480	taskkill.exe
9316	taskkill.exe
12708	taskkill.exe
13260	taskkill.exe
12408	taskkill.exe
3628	taskkill.exe
408	taskkill.exe
6772	taskkill.exe
9680	taskkill.exe
11928	taskkill.exe
13128	taskkill.exe
12596	taskkill.exe
13452	taskkill.exe
1608	taskkill.exe
7024	taskkill.exe
8708	taskkill.exe
9628	taskkill.exe
12168	taskkill.exe
10256	taskkill.exe
13280	taskkill.exe
3940	taskkill.exe
1492	taskkill.exe
6032	taskkill.exe
9228	taskkill.exe
10288	taskkill.exe
11532	taskkill.exe
12508	taskkill.exe
7448	taskkill.exe
2076	taskkill.exe
4092	taskkill.exe
9852	taskkill.exe
10028	taskkill.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Mouse	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Desktop	wscript.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3975168204-1612096350-4002976354-1000\{59DDF242-A9C2-44F5-B71C-E4D60BFE9256}	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

pid	Process
3752	notepad.exe
8104	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2304	wscript.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 51 IoCs

pid	Process
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeBackupPrivilege	776	vssvc.exe
Token: SeRestorePrivilege	776	vssvc.exe
Token: SeAuditPrivilege	776	vssvc.exe
Token: SeBackupPrivilege	4676	wbengine.exe
Token: SeRestorePrivilege	4676	wbengine.exe
Token: SeSecurityPrivilege	4676	wbengine.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5308	taskkill.exe
Token: SeSystemtimePrivilege	5788	cmd.exe
Token: SeSystemtimePrivilege	5788	cmd.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	6772	taskkill.exe
Token: SeSystemtimePrivilege	3820	cmd.exe
Token: SeSystemtimePrivilege	3820	cmd.exe
Token: SeSystemtimePrivilege	1168	cmd.exe
Token: SeSystemtimePrivilege	1168	cmd.exe
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeSystemtimePrivilege	1408	cmd.exe
Token: SeSystemtimePrivilege	1408	cmd.exe
Token: SeSystemtimePrivilege	1640	cmd.exe
Token: SeSystemtimePrivilege	1640	cmd.exe
Token: SeSystemtimePrivilege	3204	cmd.exe
Token: SeSystemtimePrivilege	3204	cmd.exe
Token: SeSystemtimePrivilege	4732	cmd.exe
Token: SeSystemtimePrivilege	4732	cmd.exe
Token: SeSystemtimePrivilege	2596	cmd.exe
Token: SeSystemtimePrivilege	2596	cmd.exe
Token: SeSystemtimePrivilege	5664	cmd.exe
Token: SeSystemtimePrivilege	5664	cmd.exe
Token: SeSystemtimePrivilege	1684	cmd.exe
Token: SeSystemtimePrivilege	1684	cmd.exe
Token: SeSystemtimePrivilege	1588	cmd.exe
Token: SeSystemtimePrivilege	1588	cmd.exe
Token: SeSystemtimePrivilege	2800	cmd.exe
Token: SeSystemtimePrivilege	2800	cmd.exe
Token: SeSystemtimePrivilege	3628	cmd.exe
Token: SeSystemtimePrivilege	3628	cmd.exe
Token: SeSystemtimePrivilege	4012	cmd.exe
Token: SeSystemtimePrivilege	1744	cmd.exe
Token: SeSystemtimePrivilege	1744	cmd.exe
Token: SeSystemtimePrivilege	4012	cmd.exe
Token: SeSystemtimePrivilege	4280	cmd.exe
Token: SeSystemtimePrivilege	4280	cmd.exe
Token: SeSystemtimePrivilege	6948	cmd.exe
Token: SeSystemtimePrivilege	6948	cmd.exe
Token: SeSystemtimePrivilege	6964	cmd.exe
Token: SeSystemtimePrivilege	6964	cmd.exe
Token: SeSystemtimePrivilege	6976	cmd.exe
Token: SeSystemtimePrivilege	6976	cmd.exe
Token: SeSystemtimePrivilege	6952	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5456	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4164	OpenWith.exe
1168	OpenWith.exe
3824	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 5572	2360	WScript.exe	86
PID 2360 wrote to memory of 5572	2360	WScript.exe	86
PID 5572 wrote to memory of 1408	5572	wscript.exe	87
PID 5572 wrote to memory of 1408	5572	wscript.exe	87
PID 5572 wrote to memory of 1044	5572	wscript.exe	90
PID 5572 wrote to memory of 1044	5572	wscript.exe	90
PID 5572 wrote to memory of 3708	5572	wscript.exe	93
PID 5572 wrote to memory of 3708	5572	wscript.exe	93
PID 5572 wrote to memory of 3136	5572	wscript.exe	95
PID 5572 wrote to memory of 3136	5572	wscript.exe	95
PID 3136 wrote to memory of 1708	3136	cmd.exe	97
PID 3136 wrote to memory of 1708	3136	cmd.exe	97
PID 5572 wrote to memory of 4820	5572	wscript.exe	101
PID 5572 wrote to memory of 4820	5572	wscript.exe	101
PID 4820 wrote to memory of 4688	4820	cmd.exe	103
PID 4820 wrote to memory of 4688	4820	cmd.exe	103
PID 5572 wrote to memory of 3752	5572	wscript.exe	107
PID 5572 wrote to memory of 3752	5572	wscript.exe	107
PID 5572 wrote to memory of 5308	5572	wscript.exe	165
PID 5572 wrote to memory of 5308	5572	wscript.exe	165
PID 5572 wrote to memory of 5296	5572	wscript.exe	302
PID 5572 wrote to memory of 5296	5572	wscript.exe	302
PID 5572 wrote to memory of 4076	5572	wscript.exe	113
PID 5572 wrote to memory of 4076	5572	wscript.exe	113
PID 5572 wrote to memory of 2304	5572	wscript.exe	114
PID 5572 wrote to memory of 2304	5572	wscript.exe	114
PID 2304 wrote to memory of 3628	2304	wscript.exe	192
PID 2304 wrote to memory of 3628	2304	wscript.exe	192
PID 4076 wrote to memory of 4696	4076	wscript.exe	117
PID 4076 wrote to memory of 4696	4076	wscript.exe	117
PID 5296 wrote to memory of 3868	5296	cmd.exe	173
PID 5296 wrote to memory of 3868	5296	cmd.exe	173
PID 5296 wrote to memory of 5884	5296	cmd.exe	119
PID 5296 wrote to memory of 5884	5296	cmd.exe	119
PID 5296 wrote to memory of 1936	5296	cmd.exe	176
PID 5296 wrote to memory of 1936	5296	cmd.exe	176
PID 5296 wrote to memory of 2120	5296	cmd.exe	121
PID 5296 wrote to memory of 2120	5296	cmd.exe	121
PID 5296 wrote to memory of 2188	5296	cmd.exe	122
PID 5296 wrote to memory of 2188	5296	cmd.exe	122
PID 5296 wrote to memory of 5552	5296	cmd.exe	123
PID 5296 wrote to memory of 5552	5296	cmd.exe	123
PID 4696 wrote to memory of 1200	4696	wscript.exe	128
PID 4696 wrote to memory of 1200	4696	wscript.exe	128
PID 1200 wrote to memory of 5776	1200	wscript.exe	131
PID 1200 wrote to memory of 5776	1200	wscript.exe	131
PID 5776 wrote to memory of 2524	5776	wscript.exe	133
PID 5776 wrote to memory of 2524	5776	wscript.exe	133
PID 2304 wrote to memory of 408	2304	wscript.exe	134
PID 2304 wrote to memory of 408	2304	wscript.exe	134
PID 2524 wrote to memory of 2928	2524	wscript.exe	136
PID 2524 wrote to memory of 2928	2524	wscript.exe	136
PID 2304 wrote to memory of 2248	2304	wscript.exe	137
PID 2304 wrote to memory of 2248	2304	wscript.exe	137
PID 2928 wrote to memory of 2652	2928	wscript.exe	139
PID 2928 wrote to memory of 2652	2928	wscript.exe	139
PID 2652 wrote to memory of 1356	2652	wscript.exe	140
PID 2652 wrote to memory of 1356	2652	wscript.exe	140
PID 2304 wrote to memory of 2076	2304	wscript.exe	185
PID 2304 wrote to memory of 2076	2304	wscript.exe	185
PID 1356 wrote to memory of 5468	1356	wscript.exe	143
PID 1356 wrote to memory of 5468	1356	wscript.exe	143
PID 5468 wrote to memory of 804	5468	wscript.exe	144
PID 5468 wrote to memory of 804	5468	wscript.exe	144

System policy modification 1 TTPs 19 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c.vbs" /elevated
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
    3⤵
    PID:1044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com" disable
    3⤵
    PID:3708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4688
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3752
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5296
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:3868
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:5884
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:1936
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2120
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:2188
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:5552
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        
        PID:804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        Checks computer location settings
        
        PID:1672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        
        PID:3524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        Checks computer location settings
        
        PID:5744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        
        PID:3676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        
        PID:1484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        
        PID:288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        
        PID:4372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        
        PID:5680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        Checks computer location settings
        
        PID:5520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        
        PID:6060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        Checks computer location settings
        
        PID:3868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        
        PID:1936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        
        PID:1472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        Checks computer location settings
        
        PID:624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        Checks computer location settings
        
        PID:2076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        Checks computer location settings
        
        PID:6404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        Checks computer location settings
        
        PID:6868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        Checks computer location settings
        
        PID:7044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        Checks computer location settings
        
        PID:6656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        
        PID:2756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        
        PID:316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        Checks computer location settings
        
        PID:6220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        Checks computer location settings
        
        PID:2228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        Checks computer location settings
        
        PID:3948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        Checks computer location settings
        
        PID:5556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        
        PID:7100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        Checks computer location settings
        
        PID:8988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        Checks computer location settings
        
        PID:9104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        Checks computer location settings
        
        PID:9208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        Checks computer location settings
        
        PID:8820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        
        PID:9144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        
        PID:9320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        
        PID:9500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        
        PID:9648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        
        PID:9792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        Checks computer location settings
        
        PID:9920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:10004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        
        PID:10108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        
        PID:10212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        Checks computer location settings
        
        PID:8972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        Checks computer location settings
        
        PID:9304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        Checks computer location settings
        
        PID:9328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        Checks computer location settings
        
        PID:9704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        
        PID:9912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        Checks computer location settings
        
        PID:10048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        
        PID:10224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        
        PID:9448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        
        PID:9404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        
        PID:9720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        Checks computer location settings
        
        PID:6496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        Checks computer location settings
        
        PID:8824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        
        PID:10092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        
        PID:10016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        Checks computer location settings
        
        PID:10296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        Checks computer location settings
        
        PID:10404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        
        PID:10524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        
        PID:10616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        
        PID:10724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        
        PID:10896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        
        PID:11016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:11100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        
        PID:11164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        Checks computer location settings
        
        PID:11236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        Checks computer location settings
        
        PID:10396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        
        PID:10560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:10504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        Checks computer location settings
        
        PID:10708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        Checks computer location settings
        
        PID:6800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        
        PID:10984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        Checks computer location settings
        
        PID:10604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        Checks computer location settings
        
        PID:10372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        
        PID:10788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        Checks computer location settings
        
        PID:10836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        Checks computer location settings
        
        PID:11140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        
        PID:3092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        Checks computer location settings
        
        PID:6780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        90⤵
        
        PID:11272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        91⤵
        
        PID:11344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        92⤵
        
        PID:11392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        93⤵
        Checks computer location settings
        
        PID:11440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        94⤵
        Checks computer location settings
        
        PID:11500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        95⤵
        
        PID:11564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        96⤵
        
        PID:11620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        97⤵
        
        PID:11728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        98⤵
        Checks computer location settings
        
        PID:11876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        99⤵
        Checks computer location settings
        
        PID:12056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        100⤵
        Checks computer location settings
        
        PID:12160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        101⤵
        
        PID:11472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        102⤵
        
        PID:12012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        103⤵
        Checks computer location settings
        
        PID:12120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        104⤵
        
        PID:12284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        105⤵
        
        PID:12276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        106⤵
        
        PID:11956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        107⤵
        
        PID:11960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        108⤵
        
        PID:12392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        109⤵
        Checks computer location settings
        
        PID:12468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        110⤵
        Checks computer location settings
        
        PID:12564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        111⤵
        Checks computer location settings
        
        PID:12648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        112⤵
        
        PID:12744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        113⤵
        Checks computer location settings
        
        PID:12852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        114⤵
        Checks computer location settings
        
        PID:13012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        115⤵
        
        PID:13084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        116⤵
        Checks computer location settings
        
        PID:13200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        117⤵
        
        PID:13288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        118⤵
        
        PID:4984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        119⤵
        
        PID:12384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        120⤵
        Checks computer location settings
        
        PID:12532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        121⤵
        Checks computer location settings
        
        PID:12376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        122⤵
        
        PID:13176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        123⤵
        Checks computer location settings
        
        PID:11640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        124⤵
        
        PID:12732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        125⤵
        
        PID:3656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        126⤵
        
        PID:13160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        127⤵
        
        PID:13280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        128⤵
        
        PID:2940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        129⤵
        Checks computer location settings
        
        PID:7128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        130⤵
        Checks computer location settings
        
        PID:2324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        131⤵
        
        PID:9136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        132⤵
        
        PID:13356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        133⤵
        Checks computer location settings
        
        PID:13524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        134⤵
        Checks computer location settings
        
        PID:13584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        135⤵
        
        PID:13644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        136⤵
        
        PID:13752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        137⤵
        
        PID:13804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        138⤵
        
        PID:13856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        139⤵
        Checks computer location settings
        
        PID:13916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        140⤵
        
        PID:14012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        141⤵
        
        PID:14088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        142⤵
        
        PID:14152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        143⤵
        
        PID:14212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        144⤵
        
        PID:14268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        29⤵
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        29⤵
        
        PID:6420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        27⤵
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        26⤵
        
        PID:6204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        24⤵
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        23⤵
        
        PID:6716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        22⤵
        
        PID:7036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        22⤵
        
        PID:6964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        21⤵
        
        PID:6688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        20⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ff8686df208,0x7ff8686df214,0x7ff8686df220
        21⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=77549930217664 --process=256 /prefetch:7 --thread=3776
        22⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1792,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
        21⤵
        
        PID:2456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2
        21⤵
        
        PID:3476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2364,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:8
        21⤵
        
        PID:60
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        21⤵
        
        PID:1132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        21⤵
        
        PID:4260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4544,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:1
        21⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:8
        21⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5020,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        21⤵
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
        21⤵
        
        PID:1492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5028,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:8
        21⤵
        Modifies registry class
        
        PID:1732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5124,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:1
        21⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5132,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:1
        21⤵
        
        PID:6628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5244,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:1
        21⤵
        
        PID:6420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5288,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6752 /prefetch:1
        21⤵
        
        PID:6316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5300,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:1
        21⤵
        
        PID:6328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=5352,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6820 /prefetch:1
        21⤵
        
        PID:6800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5416,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:1
        21⤵
        
        PID:6480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5424,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6900 /prefetch:1
        21⤵
        
        PID:6256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5452,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:1
        21⤵
        
        PID:6180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5460,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:1
        21⤵
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5512,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:1
        21⤵
        
        PID:7004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5540,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:1
        21⤵
        
        PID:6640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7112,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:1
        21⤵
        
        PID:6996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=5612,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:1
        21⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5628,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:1
        21⤵
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5636,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:1
        21⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5684,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:1
        21⤵
        
        PID:5296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5660,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:1
        21⤵
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=5756,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:1
        21⤵
        
        PID:6768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=5740,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:1
        21⤵
        
        PID:6336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=5772,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7324 /prefetch:1
        21⤵
        
        PID:6068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=6228,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7592 /prefetch:1
        21⤵
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=6048,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7452 /prefetch:1
        21⤵
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6032,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7432 /prefetch:1
        21⤵
        
        PID:1252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5880,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7372 /prefetch:1
        21⤵
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=6004,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7412 /prefetch:1
        21⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=5960,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7396 /prefetch:1
        21⤵
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5944,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7384 /prefetch:1
        21⤵
        
        PID:7140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=5828,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:1
        21⤵
        
        PID:6708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=6164,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7600 /prefetch:1
        21⤵
        
        PID:7000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=6124,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7492 /prefetch:1
        21⤵
        
        PID:6972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6096,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:1
        21⤵
        
        PID:6320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=7296,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7276 /prefetch:1
        21⤵
        
        PID:6192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=6188,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:1
        21⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=6300,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7792 /prefetch:1
        21⤵
        
        PID:6792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=6328,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7860 /prefetch:1
        21⤵
        
        PID:7064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=6368,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7876 /prefetch:1
        21⤵
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6396,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7940 /prefetch:1
        21⤵
        
        PID:6748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=6432,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7916 /prefetch:1
        21⤵
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=6464,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8016 /prefetch:1
        21⤵
        
        PID:2892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=6484,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8032 /prefetch:1
        21⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=6516,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1
        21⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=6556,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8048 /prefetch:1
        21⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=6584,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8176 /prefetch:1
        21⤵
        
        PID:4664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=6612,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8224 /prefetch:1
        21⤵
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=6644,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=8228 /prefetch:1
        21⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=13372,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:1
        21⤵
        
        PID:8956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11272,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:8
        21⤵
        
        PID:11812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11220,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=11260 /prefetch:8
        21⤵
        
        PID:11824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5644,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:8
        21⤵
        
        PID:11852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=13896 /prefetch:8
        21⤵
        
        PID:11336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10180,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:8
        21⤵
        
        PID:4376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5672,i,13454172063354252045,12603059543510483936,262144 --variations-seed-version --mojo-platform-channel-handle=13928 /prefetch:8
        21⤵
        
        PID:11420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        19⤵
        
        PID:6628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        18⤵
        
        PID:6716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        17⤵
        
        PID:4520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        16⤵
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        15⤵
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        14⤵
        
        PID:6316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        13⤵
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        12⤵
        
        PID:3496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        11⤵
        
        PID:6748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        10⤵
        
        PID:6908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        9⤵
        
        PID:6312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        8⤵
        
        PID:6300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        7⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        7⤵
        
        PID:6428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        6⤵
        
        PID:6348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        5⤵
        
        PID:6528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time 00:00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
      4⤵
      PID:7084
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbs
    3⤵
    - Checks computer location settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5308
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4092
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6772
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:6032
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:7024
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:8708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:9288
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:9628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:9852
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:9996
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:10144
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:9132
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:9480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:9680
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:10028
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:9228
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:9316
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:6776
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:9380
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:5216
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:10288
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:10496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:10664
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:11676
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:11928
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:12168
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:11928
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:11532
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:11928
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:12328
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:12508
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:12708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:12900
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:13128
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:13260
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:12408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:10256
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:8376
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:13280
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:9424
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:12596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:13452
- - C:\Windows\pei.exe
    "C:\Windows\pei.exe"
    3⤵
    PID:7580
  - - C:\Users\Admin\AppData\Local\Temp\1821129085.exe
      C:\Users\Admin\AppData\Local\Temp\1821129085.exe
      4⤵
      PID:7216
    - - C:\Windows\sysldrvcs.exe
        
        C:\Windows\sysldrvcs.exe
        5⤵
        
        PID:13660
      - C:\Users\Admin\AppData\Local\Temp\2838429677.exe
        
        C:\Users\Admin\AppData\Local\Temp\2838429677.exe
        6⤵
        
        PID:13964
        
        C:\Users\Admin\AppData\Local\Temp\638814105.exe
        
        C:\Users\Admin\AppData\Local\Temp\638814105.exe
        7⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\156775930.exe
        
        C:\Users\Admin\AppData\Local\Temp\156775930.exe
        7⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\566429452.exe
        
        C:\Users\Admin\AppData\Local\Temp\566429452.exe
        7⤵
        
        PID:7596
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:7144
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "MgrDrvSvc" binpath= "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:7688
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:11888
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\745621045.exe
        
        C:\Users\Admin\AppData\Local\Temp\745621045.exe
        6⤵
        
        PID:14240
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7448
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BackupSearch.dxf.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x39c
1⤵
PID:8624

C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
1⤵
PID:7924
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:14332
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:13668
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:8948
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:3056
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:5824
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:2976
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:10648
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:7796

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:7424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery