phorphiex | 8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs"	wscript.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000f000000024264-995.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral2/memory/3596-1078-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3596-1081-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3596-1082-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3596-1079-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1108-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1107-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1106-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1105-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1109-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/11280-1104-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1149-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1150-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1164-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1148-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1147-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4588-1146-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/16276-1196-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/16276-1194-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/16276-1193-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	1492	wscript.exe
20	1492	wscript.exe
22	1492	wscript.exe
33	1492	wscript.exe

Blocks application from running via registry modification 14 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4672	wbadmin.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Updater = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-VirusScript = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File created	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File opened for modification	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File created	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-1073-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1078-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1074-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1075-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1081-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1082-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1079-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1077-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3596-1076-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1108-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1107-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1106-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1105-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1109-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/11280-1104-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1149-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1150-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1164-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1148-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1147-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4588-1146-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/16276-1196-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/16276-1194-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/16276-1193-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\advapi32_ext.vbs	wscript.exe
File created	C:\Windows\advapi32_ext.vbs	wscript.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
14568	sc.exe
15632	sc.exe
15120	sc.exe
15028	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
716	vssadmin.exe

Kills process with taskkill 39 IoCs

pid	Process
5828	taskkill.exe
5152	taskkill.exe
11480	taskkill.exe
14300	taskkill.exe
5920	taskkill.exe
11796	taskkill.exe
10164	taskkill.exe
10692	taskkill.exe
11564	taskkill.exe
2680	taskkill.exe
12616	taskkill.exe
15404	taskkill.exe
3872	taskkill.exe
3420	taskkill.exe
4788	taskkill.exe
7608	taskkill.exe
1652	taskkill.exe
5868	taskkill.exe
304	taskkill.exe
4896	taskkill.exe
5952	taskkill.exe
3380	taskkill.exe
6764	taskkill.exe
9288	taskkill.exe
12864	taskkill.exe
13160	taskkill.exe
13608	taskkill.exe
6508	taskkill.exe
6068	taskkill.exe
3620	taskkill.exe
6340	taskkill.exe
12368	taskkill.exe
12616	taskkill.exe
10972	taskkill.exe
12480	taskkill.exe
12368	taskkill.exe
13936	taskkill.exe
2952	taskkill.exe
2640	taskkill.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\Mouse	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\Desktop	wscript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	calc.exe

Opens file in notepad (likely ransom note) 7 IoCs

pid	Process
8396	notepad.exe
8788	notepad.exe
4644	notepad.exe
3004	notepad.exe
9732	notepad.exe
14224	notepad.exe
5372	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	powershell.exe
3040	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeBackupPrivilege	4916	vssvc.exe
Token: SeRestorePrivilege	4916	vssvc.exe
Token: SeAuditPrivilege	4916	vssvc.exe
Token: SeBackupPrivilege	4780	wbengine.exe
Token: SeRestorePrivilege	4780	wbengine.exe
Token: SeSecurityPrivilege	4780	wbengine.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe
Token: SeDebugPrivilege	5868	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	6068	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5828	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeSystemtimePrivilege	3040	cmd.exe
Token: SeSystemtimePrivilege	3040	cmd.exe
Token: SeSystemtimePrivilege	5024	cmd.exe
Token: SeSystemtimePrivilege	5024	cmd.exe
Token: SeSystemtimePrivilege	2008	cmd.exe
Token: SeSystemtimePrivilege	2008	cmd.exe
Token: SeSystemtimePrivilege	3028	cmd.exe
Token: SeSystemtimePrivilege	3028	cmd.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeSystemtimePrivilege	6572	cmd.exe
Token: SeSystemtimePrivilege	6572	cmd.exe
Token: SeSystemtimePrivilege	6516	cmd.exe
Token: SeSystemtimePrivilege	6516	cmd.exe
Token: SeSystemtimePrivilege	6616	cmd.exe
Token: SeSystemtimePrivilege	6616	cmd.exe
Token: SeSystemtimePrivilege	6672	cmd.exe
Token: SeSystemtimePrivilege	6672	cmd.exe
Token: SeSystemtimePrivilege	6632	cmd.exe
Token: SeSystemtimePrivilege	6632	cmd.exe
Token: SeSystemtimePrivilege	6544	cmd.exe
Token: SeSystemtimePrivilege	6544	cmd.exe
Token: SeDebugPrivilege	6340	taskkill.exe
Token: SeSystemtimePrivilege	6640	cmd.exe
Token: SeSystemtimePrivilege	6640	cmd.exe
Token: SeSystemtimePrivilege	6580	cmd.exe
Token: SeSystemtimePrivilege	6580	cmd.exe
Token: SeSystemtimePrivilege	6688	cmd.exe
Token: SeSystemtimePrivilege	6688	cmd.exe
Token: SeSystemtimePrivilege	6588	cmd.exe
Token: SeSystemtimePrivilege	6588	cmd.exe
Token: SeSystemtimePrivilege	6608	cmd.exe
Token: SeSystemtimePrivilege	6536	cmd.exe
Token: SeSystemtimePrivilege	6608	cmd.exe
Token: SeSystemtimePrivilege	6536	cmd.exe
Token: SeSystemtimePrivilege	6760	cmd.exe
Token: SeSystemtimePrivilege	6760	cmd.exe
Token: SeSystemtimePrivilege	6748	cmd.exe
Token: SeSystemtimePrivilege	6896	cmd.exe
Token: SeSystemtimePrivilege	6748	cmd.exe
Token: SeSystemtimePrivilege	6896	cmd.exe
Token: SeSystemtimePrivilege	6528	cmd.exe
Token: SeSystemtimePrivilege	6528	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
432	OpenWith.exe
6120	OpenWith.exe
2960	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1492	2244	WScript.exe	88
PID 2244 wrote to memory of 1492	2244	WScript.exe	88
PID 1492 wrote to memory of 3040	1492	wscript.exe	89
PID 1492 wrote to memory of 3040	1492	wscript.exe	89
PID 1492 wrote to memory of 3956	1492	wscript.exe	93
PID 1492 wrote to memory of 3956	1492	wscript.exe	93
PID 1492 wrote to memory of 4488	1492	wscript.exe	96
PID 1492 wrote to memory of 4488	1492	wscript.exe	96
PID 1492 wrote to memory of 4572	1492	wscript.exe	98
PID 1492 wrote to memory of 4572	1492	wscript.exe	98
PID 4572 wrote to memory of 716	4572	cmd.exe	100
PID 4572 wrote to memory of 716	4572	cmd.exe	100
PID 1492 wrote to memory of 4652	1492	wscript.exe	103
PID 1492 wrote to memory of 4652	1492	wscript.exe	103
PID 4652 wrote to memory of 4672	4652	cmd.exe	105
PID 4652 wrote to memory of 4672	4652	cmd.exe	105
PID 1492 wrote to memory of 4644	1492	wscript.exe	109
PID 1492 wrote to memory of 4644	1492	wscript.exe	109
PID 1492 wrote to memory of 3660	1492	wscript.exe	112
PID 1492 wrote to memory of 3660	1492	wscript.exe	112
PID 1492 wrote to memory of 6068	1492	wscript.exe	160
PID 1492 wrote to memory of 6068	1492	wscript.exe	160
PID 1492 wrote to memory of 5888	1492	wscript.exe	115
PID 1492 wrote to memory of 5888	1492	wscript.exe	115
PID 1492 wrote to memory of 2340	1492	wscript.exe	116
PID 1492 wrote to memory of 2340	1492	wscript.exe	116
PID 5888 wrote to memory of 3724	5888	wscript.exe	118
PID 5888 wrote to memory of 3724	5888	wscript.exe	118
PID 2340 wrote to memory of 1652	2340	wscript.exe	117
PID 2340 wrote to memory of 1652	2340	wscript.exe	117
PID 6068 wrote to memory of 412	6068	cmd.exe	120
PID 6068 wrote to memory of 412	6068	cmd.exe	120
PID 6068 wrote to memory of 4368	6068	cmd.exe	121
PID 6068 wrote to memory of 4368	6068	cmd.exe	121
PID 6068 wrote to memory of 208	6068	cmd.exe	202
PID 6068 wrote to memory of 208	6068	cmd.exe	202
PID 6068 wrote to memory of 5308	6068	cmd.exe	123
PID 6068 wrote to memory of 5308	6068	cmd.exe	123
PID 6068 wrote to memory of 5244	6068	cmd.exe	194
PID 6068 wrote to memory of 5244	6068	cmd.exe	194
PID 6068 wrote to memory of 116	6068	cmd.exe	125
PID 6068 wrote to memory of 116	6068	cmd.exe	125
PID 3724 wrote to memory of 5928	3724	wscript.exe	129
PID 3724 wrote to memory of 5928	3724	wscript.exe	129
PID 5928 wrote to memory of 3924	5928	wscript.exe	131
PID 5928 wrote to memory of 3924	5928	wscript.exe	131
PID 2340 wrote to memory of 3380	2340	wscript.exe	133
PID 2340 wrote to memory of 3380	2340	wscript.exe	133
PID 3924 wrote to memory of 1792	3924	wscript.exe	136
PID 3924 wrote to memory of 1792	3924	wscript.exe	136
PID 2340 wrote to memory of 5868	2340	wscript.exe	138
PID 2340 wrote to memory of 5868	2340	wscript.exe	138
PID 1792 wrote to memory of 3200	1792	wscript.exe	139
PID 1792 wrote to memory of 3200	1792	wscript.exe	139
PID 3200 wrote to memory of 2972	3200	wscript.exe	141
PID 3200 wrote to memory of 2972	3200	wscript.exe	141
PID 2340 wrote to memory of 3872	2340	wscript.exe	180
PID 2340 wrote to memory of 3872	2340	wscript.exe	180
PID 2972 wrote to memory of 3272	2972	wscript.exe	144
PID 2972 wrote to memory of 3272	2972	wscript.exe	144
PID 3272 wrote to memory of 2872	3272	wscript.exe	145
PID 3272 wrote to memory of 2872	3272	wscript.exe	145
PID 2340 wrote to memory of 2952	2340	wscript.exe	201
PID 2340 wrote to memory of 2952	2340	wscript.exe	201

System policy modification 1 TTPs 19 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\8642cb9e190179e87f01d91201b35264b9d29ce6b3233d1bd9349bcdd94e5d28.vbs" /elevated
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
    3⤵
    PID:3956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com" disable
    3⤵
    PID:4488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4672
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4644
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6068
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:412
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:4368
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:208
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:5308
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:5244
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:116
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5888
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5928
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        11⤵
        Checks computer location settings
        
        PID:2872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        Checks computer location settings
        
        PID:1824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        Checks computer location settings
        
        PID:4764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        Checks computer location settings
        
        PID:3912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        Checks computer location settings
        
        PID:3932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        Checks computer location settings
        
        PID:5200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        Checks computer location settings
        
        PID:924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        Checks computer location settings
        
        PID:1112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        Checks computer location settings
        
        PID:5796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        Checks computer location settings
        
        PID:2424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        Checks computer location settings
        
        PID:2080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        Checks computer location settings
        
        PID:2980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        Checks computer location settings
        
        PID:4156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        Checks computer location settings
        
        PID:3936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        Checks computer location settings
        
        PID:208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        Checks computer location settings
        
        PID:6920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        Checks computer location settings
        
        PID:5272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        Checks computer location settings
        
        PID:6324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        Checks computer location settings
        
        PID:6188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        Checks computer location settings
        
        PID:300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        Checks computer location settings
        
        PID:6772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        
        PID:6764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        
        PID:7248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        
        PID:7328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        
        PID:7432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        
        PID:7544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        
        PID:7656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        
        PID:7760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        
        PID:7852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        
        PID:7956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        
        PID:8048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        
        PID:8148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        
        PID:7552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        
        PID:8240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        
        PID:8336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:8424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        
        PID:8552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        
        PID:8652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        
        PID:8760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        
        PID:8860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        
        PID:8984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        
        PID:9076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        
        PID:10212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        
        PID:3472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        
        PID:9296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        
        PID:9752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        
        PID:10492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        
        PID:10892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        
        PID:11228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        
        PID:11500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        
        PID:11956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        
        PID:12104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        
        PID:11436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        
        PID:11940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        
        PID:11648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        
        PID:12216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        
        PID:9452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        
        PID:12172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        
        PID:12448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:12584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        
        PID:12748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        
        PID:12872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        
        PID:13036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        
        PID:13224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:3480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        
        PID:12740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        
        PID:5444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        
        PID:9648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        
        PID:1280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        
        PID:13464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        
        PID:13572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        
        PID:13752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        
        PID:13864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        
        PID:14000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        
        PID:14136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        
        PID:14264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        90⤵
        
        PID:3672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        91⤵
        
        PID:14068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        92⤵
        
        PID:13120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        93⤵
        
        PID:6304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        94⤵
        
        PID:14412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        95⤵
        
        PID:14504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        96⤵
        
        PID:14620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        97⤵
        
        PID:14756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        98⤵
        
        PID:14860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        99⤵
        
        PID:14964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        100⤵
        
        PID:15132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        101⤵
        
        PID:13732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        102⤵
        
        PID:3732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        103⤵
        
        PID:5324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        104⤵
        
        PID:15268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        105⤵
        
        PID:14732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        106⤵
        
        PID:4320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        107⤵
        
        PID:6408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        108⤵
        
        PID:3644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        109⤵
        
        PID:15376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        110⤵
        
        PID:15452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        111⤵
        
        PID:15552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        112⤵
        
        PID:15736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        113⤵
        
        PID:15800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        114⤵
        
        PID:15852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        115⤵
        
        PID:15920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        116⤵
        
        PID:15976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        117⤵
        
        PID:16048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        118⤵
        
        PID:16104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        30⤵
        
        PID:6336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        30⤵
        
        PID:6760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        28⤵
        
        PID:7092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        27⤵
        
        PID:6768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        25⤵
        
        PID:6744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        25⤵
        
        PID:6096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        24⤵
        
        PID:6516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        24⤵
        
        PID:7072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        23⤵
        
        PID:5244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        22⤵
        
        PID:6992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        22⤵
        
        PID:6296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        21⤵
        
        PID:6312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        20⤵
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        19⤵
        
        PID:3472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        18⤵
        
        PID:6960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        17⤵
        
        PID:6700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        16⤵
        
        PID:6548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        15⤵
        
        PID:6956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        14⤵
        
        PID:5864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        13⤵
        
        PID:5192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        12⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ffb636bf208,0x7ffb636bf214,0x7ffb636bf220
        13⤵
        
        PID:1508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=52261162778816 --process=256 /prefetch:7 --thread=16260
        14⤵
        
        PID:16268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1888,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:3
        13⤵
        
        PID:4652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2260,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:2
        13⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2336,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
        13⤵
        
        PID:2952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
        13⤵
        
        PID:3688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
        13⤵
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4188,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
        13⤵
        
        PID:6192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4508,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=4528 /prefetch:1
        13⤵
        
        PID:6252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4664,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:1
        13⤵
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5388,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1
        13⤵
        
        PID:9140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5452,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:1
        13⤵
        
        PID:9156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5720,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:1
        13⤵
        
        PID:9208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5752,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:1
        13⤵
        
        PID:8524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5912,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:1
        13⤵
        
        PID:8916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6004,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:1
        13⤵
        
        PID:6672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6204,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:1
        13⤵
        
        PID:6364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6304,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:1
        13⤵
        
        PID:9204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6500,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:1
        13⤵
        
        PID:9256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6736,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:1
        13⤵
        
        PID:9308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6712,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:1
        13⤵
        
        PID:9320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7024,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:1
        13⤵
        
        PID:9404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7156,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:1
        13⤵
        
        PID:9452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7304,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:1
        13⤵
        
        PID:9500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7196,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:1
        13⤵
        
        PID:9548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7484,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7596 /prefetch:1
        13⤵
        
        PID:9596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7464,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7752 /prefetch:1
        13⤵
        
        PID:9644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7896,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7776 /prefetch:1
        13⤵
        
        PID:9692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=8028,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8036 /prefetch:1
        13⤵
        
        PID:9740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=8160,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8168 /prefetch:1
        13⤵
        
        PID:9788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=8308,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8316 /prefetch:1
        13⤵
        
        PID:9836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8772,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8800 /prefetch:8
        13⤵
        
        PID:9888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8468,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8820 /prefetch:8
        13⤵
        
        PID:9896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8748,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9172 /prefetch:8
        13⤵
        
        PID:9936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=9612,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9640 /prefetch:1
        13⤵
        
        PID:7088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=5432,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9784 /prefetch:1
        13⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=9940,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9808 /prefetch:1
        13⤵
        
        PID:8416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=5200,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10120 /prefetch:1
        13⤵
        
        PID:7004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=10260,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10272 /prefetch:1
        13⤵
        
        PID:8532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=5416,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10428 /prefetch:1
        13⤵
        
        PID:9280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=10512,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10536 /prefetch:1
        13⤵
        
        PID:9432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=3540,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:1
        13⤵
        
        PID:9532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=10700,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10656 /prefetch:1
        13⤵
        
        PID:9764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=10956,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10976 /prefetch:1
        13⤵
        
        PID:9848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=11076,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11124 /prefetch:1
        13⤵
        
        PID:10168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=4672,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9456 /prefetch:1
        13⤵
        
        PID:10204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=11400,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11424 /prefetch:1
        13⤵
        
        PID:9448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=11544,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9444 /prefetch:1
        13⤵
        
        PID:10344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=11528,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11744 /prefetch:1
        13⤵
        
        PID:10504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=11760,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11872 /prefetch:1
        13⤵
        
        PID:10536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=6716,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9500 /prefetch:1
        13⤵
        
        PID:10660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=12124,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9504 /prefetch:1
        13⤵
        
        PID:10716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=12280,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=12312 /prefetch:1
        13⤵
        
        PID:10880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=6600,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=12464 /prefetch:1
        13⤵
        
        PID:10956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=12628,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=12636 /prefetch:1
        13⤵
        
        PID:10980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=12796,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=12816 /prefetch:1
        13⤵
        
        PID:11056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=12768,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=12460 /prefetch:1
        13⤵
        
        PID:11200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=5900,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:1
        13⤵
        
        PID:9516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=5736,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:1
        13⤵
        
        PID:9536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=3576,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:1
        13⤵
        
        PID:15576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3680,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8188 /prefetch:8
        13⤵
        
        PID:15572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5592,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
        13⤵
        
        PID:15584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=5240,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:1
        13⤵
        
        PID:15604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=9464 /prefetch:8
        13⤵
        
        PID:15612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6652,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
        13⤵
        
        PID:15620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7500,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
        13⤵
        
        PID:15628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4060,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11104 /prefetch:2
        13⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1944,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10560 /prefetch:8
        13⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1944,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=10560 /prefetch:8
        13⤵
        
        PID:15680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10588,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=8720 /prefetch:8
        13⤵
        
        PID:10168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=11216,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:2
        13⤵
        
        PID:13060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=11784,i,3455579187687175240,978863306624998557,262144 --variations-seed-version --mojo-platform-channel-handle=11900 /prefetch:8
        13⤵
        
        PID:14728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        Checks computer location settings
        
        PID:6708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        Checks computer location settings
        
        PID:6852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        
        PID:3040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        
        PID:7196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        
        PID:7308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        
        PID:7404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        
        PID:7508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        
        PID:7624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        
        PID:7704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        
        PID:7832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        
        PID:7920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        
        PID:8028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        
        PID:8132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        
        PID:7872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        
        PID:8256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        
        PID:8388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        
        PID:8460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        
        PID:8580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        
        PID:8680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        
        PID:8776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        
        PID:8872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        
        PID:8968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        
        PID:9068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        
        PID:10196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        
        PID:6336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        
        PID:9336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        
        PID:10148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        
        PID:10528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        
        PID:11008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        
        PID:11312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        
        PID:11700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        
        PID:12068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        
        PID:12284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        
        PID:12164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        
        PID:10968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        
        PID:11904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:12248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        
        PID:12252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        
        PID:12304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        
        PID:12508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        
        PID:12600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        
        PID:12764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        
        PID:12908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        
        PID:13108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        
        PID:13240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        
        PID:12420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        
        PID:12648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        
        PID:13296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        
        PID:9940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        
        PID:3100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        
        PID:13348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        
        PID:13536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        
        PID:13736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        
        PID:13856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        
        PID:14020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        
        PID:14152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        
        PID:14276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        
        PID:13456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        
        PID:13592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        
        PID:13584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:14092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        
        PID:14396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        
        PID:14496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        
        PID:14600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        
        PID:14684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:14772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        
        PID:14872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        
        PID:14980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        
        PID:15152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        
        PID:12616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        
        PID:6968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        
        PID:7228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        
        PID:7424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        
        PID:6712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        
        PID:8024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        
        PID:6380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        
        PID:8592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        11⤵
        
        PID:6520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        10⤵
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        9⤵
        
        PID:6728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        8⤵
        
        PID:7132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        7⤵
        
        PID:5288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        6⤵
        
        PID:6624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        6⤵
        
        PID:6932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        5⤵
        
        PID:6860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time 00:00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
      4⤵
      PID:6804
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5868
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3872
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6068
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5952
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5828
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3620
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5152
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5920
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6340
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:6764
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:10164
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:9288
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:10692
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:11564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:10972
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:11796
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:11480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:12368
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:12616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:12864
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:13160
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:12480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:2680
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:12368
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:13608
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:13936
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:14300
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:12616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:7608
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:15404
- - C:\Windows\pei.exe
    "C:\Windows\pei.exe"
    3⤵
    PID:15984
  - - C:\Users\Admin\AppData\Local\Temp\870929817.exe
      C:\Users\Admin\AppData\Local\Temp\870929817.exe
      4⤵
      PID:15640
    - - C:\Windows\sysldrvcs.exe
        
        C:\Windows\sysldrvcs.exe
        5⤵
        
        PID:15624
      - C:\Users\Admin\AppData\Local\Temp\2707930869.exe
        
        C:\Users\Admin\AppData\Local\Temp\2707930869.exe
        6⤵
        
        PID:9392
        
        C:\Users\Admin\AppData\Local\Temp\2978015654.exe
        
        C:\Users\Admin\AppData\Local\Temp\2978015654.exe
        7⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\255398142.exe
        
        C:\Users\Admin\AppData\Local\Temp\255398142.exe
        7⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\2924432225.exe
        
        C:\Users\Admin\AppData\Local\Temp\2924432225.exe
        7⤵
        
        PID:11084
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:14568
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "MgrDrvSvc" binpath= "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:15632
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:15028
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "MgrDrvSvc"
        8⤵
        Launches sc.exe
        
        PID:15120
      - C:\Users\Admin\AppData\Local\Temp\2538922900.exe
        
        C:\Users\Admin\AppData\Local\Temp\2538922900.exe
        6⤵
        
        PID:11164
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6508
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\AddMount.temp.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3004
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\AddPublish.dib.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:9732
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ConvertMeasure.exe.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:14224
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ExportRequest.rle.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5372
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ExportWatch.tif.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8396
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\FindSearch.xht.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 10980 -ip 10980
1⤵
PID:6672

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x2cc
1⤵
PID:9168

C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
1⤵
PID:1928
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:15884
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:5648
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:11280
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:13452
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:4588
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:12048
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:16276
- - C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe
    "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"
    3⤵
    PID:6800
  - - C:\Windows\system32\dwm.exe
      dwm.exe
      4⤵
      PID:6588
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery