9cf79bf9432b834bd3ed1cf7b412c773ec06e631685a5b32e245a6e0779b66d9

Analysis

max time kernel
154s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
Size

1.1MB
MD5

de44a278d7ea31a7440eb7b1ed1e6901
SHA1

e2329c7f0d1d7b4c09bbec01046fe9d27981248f
SHA256

9cf79bf9432b834bd3ed1cf7b412c773ec06e631685a5b32e245a6e0779b66d9
SHA512

67e9a94a8c5cf459b935f413c6183fa64bab9dddb3a37c95b6f5dc507922fa7fecb3f0408b60a3e2ae148b627ba0317d42aa0e4a691211ad2f394e6e37d7235d
SSDEEP

24576:7lCfiVBWpedi288WnNilhBJhpwHAn7bJ7xDSmio:EiVBWgdB8zYlhF2HU7V7/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ac35ab1a-12ff-4c12-9450-4f58a837d54c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220906200446.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3936	2784	chrome.exe	100
PID 2784 wrote to memory of 3936	2784	chrome.exe	100
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 1956	2784	chrome.exe	101
PID 2784 wrote to memory of 3016	2784	chrome.exe	102
PID 2784 wrote to memory of 3016	2784	chrome.exe	102
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103
PID 2784 wrote to memory of 3096	2784	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe
"C:\Users\Admin\AppData\Local\Temp\Grounded Early Access Plus 18 Trainer Updated 2021.10.25.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://flingtrainer.com/patreon
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd00746f8,0x7fffd0074708,0x7fffd0074718
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 /prefetch:8
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6640 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:8
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a3bd5460,0x7ff7a3bd5470,0x7ff7a3bd5480
      4⤵
      PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18205343161135261998,13941889173212004052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:8
    3⤵
    PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://flingtrainer.com/tag/grounded
  2⤵
  PID:5320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd00746f8,0x7fffd0074708,0x7fffd0074718
    3⤵
    PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc5d84f50,0x7fffc5d84f60,0x7fffc5d84f70
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=972 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13485103123241917950,17829033284647186318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:5488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
bf0959bd43182643e2155f92199ab42d

SHA1
ec689d7d13147632bf9bd2c1196411897eb1c87e

SHA256
8f6b8938536d124bfe86ae8cbf77150d9b0c558934212d6053d98c2bf37c09f9

SHA512
2558c68b41a4a521847be61a493261658e64e78f7e962dd4e1577daa3f2612a1350c8e74274b56e2e8d5a5c97a3bcbaa3346d9a7f65e59c4af7af1a35fba752c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
cf256af4baeda610169be3f8e43f9a55

SHA1
087d058d959cf812bdb1b905975368c2eb02807c

SHA256
e0806ac108b89bb03dca444c1ac3e091cccfe661789c56169aeac2f04e24a1ae

SHA512
e8edcde8e3eba556d463df2a2d356436c2398ea7faf815319468f685aa677ca0afb277934c3355bc684c2e9262beb5342ce5fe5b62d528492af8d4d041749c88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
178KB

MD5
bf1b770d5cf7d76d170f6788ba1e720c

SHA1
e26f381831f3854a9ddd6a5d99855ac2f2d3f347

SHA256
a2ab2bc2393d6e32cb1322d5e44d329763391ed4f9edd7797aa71001af255ebd

SHA512
1b9bd593df9464b487bc369ad8518d23fd1b051f88f6a9cb85584bcbb187bd74019c0502478036bdee8e3858e19f2fa4b9c29d4fb46a228f38026cddb74e3fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
dc4768cd60a5c7829815fd32f4844085

SHA1
953df2fd84601ae63162150a948273dc92495ee1

SHA256
ab221ebc5072d2f1ceb645818d5e4351ee08ecdba6eaf85e46ccf648fcadf5d7

SHA512
34c32eeb6a9e0a8f23c8c520f2de122146e54707c949164b63474028ad0e2257dba2b7b4548b9e0dc76215d6bae410766ea745b95afd33d4b25303d3d04684bf

Download Submit
memory/1324-175-0x00007FFFCE4A0000-0x00007FFFCEF61000-memory.dmp

Filesize
10.8MB

Download
memory/1324-176-0x00000184297FA000-0x00000184297FF000-memory.dmp

Filesize
20KB

Download
memory/1324-135-0x00000184297FA000-0x00000184297FF000-memory.dmp

Filesize
20KB

Download
memory/1324-132-0x00007FFFCE4A0000-0x00007FFFCEF61000-memory.dmp

Filesize
10.8MB

Download
memory/1324-134-0x00007FFFCE4A0000-0x00007FFFCEF61000-memory.dmp

Filesize
10.8MB

Download
memory/1324-133-0x00000184297FA000-0x00000184297FF000-memory.dmp

Filesize
20KB

Download