nanocore | 5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
Size

309KB
MD5

3e84ff0190e4ebfb051448fde035364e
SHA1

7efd883c4fcc49df5615658605d09d57e427dbc6
SHA256

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4
SHA512

c872e2af779db49352eb916321290f13fad7cf6acee518057009032cceea3b42b975566079560309c6df707d84a3abb5071d8bec52ad06cf60ea5807a1dd5cbf
SSDEEP

6144:5K9eooDK1zJmZNUrz21pQotrLHeHbxG/GWvmm8NErGQiVSHTXiPBKq4U:MoDIe63EphFyHFiGWvmmYyYgUn5

Score

10^/10

nanocore microsoft keylogger persistence phishing spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

tadas123.mooo.com:59786

ktmpss.mooo.com:59786

Mutex

fbd611ba-8508-451c-8f11-45e28ff8e35e

Attributes

activate_away_mode
true
backup_connection_host
ktmpss.mooo.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-14T14:04:43.383753236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
59786
default_group
CsGo Botai 0307
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
fbd611ba-8508-451c-8f11-45e28ff8e35e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tadas123.mooo.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exemsedge.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 6 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

description	pid	process	target process
PID 4060 set thread context of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 set thread context of 520	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 set thread context of 4236	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 set thread context of 3392	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 set thread context of 3908	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 set thread context of 2232	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\34fb9e08-cc13-4753-a1f0-b6a50ca47561.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221013212638.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
3104	ping.exe
3624	ping.exe
1216	ping.exe
1832	ping.exe
856	ping.exe
4276	ping.exe
5068	ping.exe
3372	ping.exe
1932	ping.exe
4808	ping.exe
2964	ping.exe
1104	ping.exe
1416	ping.exe
3288	ping.exe
5056	ping.exe
1804	ping.exe
964	ping.exe
3516	ping.exe
4528	ping.exe
4588	ping.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

pid	process
3060	msedge.exe
3060	msedge.exe
4140	msedge.exe
4140	msedge.exe
1036	identity_helper.exe
1036	identity_helper.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exe

pid	process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

description pid process

Token: SeDebugPrivilege 4060 5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4140 msedge.exe
4140 msedge.exe
4140 msedge.exe

description	pid	process
Token: SeDebugPrivilege	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exeAppLaunch.exemsedge.exe

description	pid	process	target process
PID 4060 wrote to memory of 856	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 856	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 856	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3104	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3104	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3104	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4276	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4276	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4276	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3516	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3516	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3516	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 5068	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 5068	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 5068	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4528	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4528	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4528	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3372	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3372	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3372	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4588	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4588	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4588	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 1932	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 1932	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 1932	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3288	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3288	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3288	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4616	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 4060 wrote to memory of 4808	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4808	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 4808	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4616 wrote to memory of 4140	4616	AppLaunch.exe	msedge.exe
PID 4616 wrote to memory of 4140	4616	AppLaunch.exe	msedge.exe
PID 4140 wrote to memory of 2220	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 2220	4140	msedge.exe	msedge.exe
PID 4060 wrote to memory of 3624	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3624	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4060 wrote to memory of 3624	4060	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 4964	4140	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
"C:\Users\Admin\AppData\Local\Temp\5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:856

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3104

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4276

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3516

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:5068

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4528

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3372

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4588

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1932

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
4⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
4⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
4⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 /prefetch:8
4⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
4⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
4⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
4⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 /prefetch:8
4⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
4⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
4⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
4⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff64ef35460,0x7ff64ef35470,0x7ff64ef35480
5⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
4⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
4⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
4⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
4⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
4⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
4⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1116 /prefetch:1
4⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
4⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
4⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
4⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6644 /prefetch:8
4⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
4⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
4⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
4⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
4⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
4⤵
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7680 /prefetch:8
4⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
4⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
4⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16642502960901898515,2811028659097412272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
4⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:2364

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4808

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3624

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2964

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:5056

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1216

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1104

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1416

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1804

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:964

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1832

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1808

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:3972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:888

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:4828

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:3952

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:3080

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:608

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:3596

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1252

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:4068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:1188

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:5100

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:4892

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:1316

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1188

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1628

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:4188

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffcf05046f8,0x7ffcf0504708,0x7ffcf0504718
4⤵
PID:1256

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1436

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
\??\pipe\LOCAL\crashpad_4140_VXMWYUDQYMIARXNA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/520-193-0x0000000000000000-mapping.dmp

Download
memory/608-221-0x0000000000000000-mapping.dmp

Download
memory/856-135-0x0000000000000000-mapping.dmp

Download
memory/888-205-0x0000000000000000-mapping.dmp

Download
memory/964-189-0x0000000000000000-mapping.dmp

Download
memory/1036-187-0x0000000000000000-mapping.dmp

Download
memory/1076-199-0x0000000000000000-mapping.dmp

Download
memory/1088-167-0x0000000000000000-mapping.dmp

Download
memory/1104-177-0x0000000000000000-mapping.dmp

Download
memory/1216-174-0x0000000000000000-mapping.dmp

Download
memory/1252-223-0x0000000000000000-mapping.dmp

Download
memory/1252-215-0x0000000000000000-mapping.dmp

Download
memory/1280-210-0x0000000000000000-mapping.dmp

Download
memory/1404-162-0x0000000000000000-mapping.dmp

Download
memory/1416-185-0x0000000000000000-mapping.dmp

Download
memory/1528-220-0x0000000000000000-mapping.dmp

Download
memory/1804-188-0x0000000000000000-mapping.dmp

Download
memory/1808-191-0x0000000000000000-mapping.dmp

Download
memory/1832-190-0x0000000000000000-mapping.dmp

Download
memory/1868-183-0x0000000000000000-mapping.dmp

Download
memory/1932-145-0x0000000000000000-mapping.dmp

Download
memory/2200-211-0x0000000000000000-mapping.dmp

Download
memory/2220-151-0x0000000000000000-mapping.dmp

Download
memory/2364-170-0x0000000000000000-mapping.dmp

Download
memory/2864-214-0x0000000000000000-mapping.dmp

Download
memory/2896-176-0x0000000000000000-mapping.dmp

Download
memory/2912-184-0x0000000000000000-mapping.dmp

Download
memory/2964-163-0x0000000000000000-mapping.dmp

Download
memory/3060-155-0x0000000000000000-mapping.dmp

Download
memory/3080-225-0x0000000000000000-mapping.dmp

Download
memory/3104-137-0x0000000000000000-mapping.dmp

Download
memory/3112-173-0x0000000000000000-mapping.dmp

Download
memory/3288-146-0x0000000000000000-mapping.dmp

Download
memory/3372-143-0x0000000000000000-mapping.dmp

Download
memory/3516-139-0x0000000000000000-mapping.dmp

Download
memory/3596-222-0x0000000000000000-mapping.dmp

Download
memory/3624-152-0x0000000000000000-mapping.dmp

Download
memory/3688-158-0x0000000000000000-mapping.dmp

Download
memory/3796-181-0x0000000000000000-mapping.dmp

Download
memory/3844-160-0x0000000000000000-mapping.dmp

Download
memory/3904-186-0x0000000000000000-mapping.dmp

Download
memory/3952-203-0x0000000000000000-mapping.dmp

Download
memory/3972-192-0x0000000000000000-mapping.dmp

Download
memory/4060-136-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4060-140-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4140-150-0x0000000000000000-mapping.dmp

Download
memory/4236-212-0x0000000000000000-mapping.dmp

Download
memory/4276-138-0x0000000000000000-mapping.dmp

Download
memory/4324-224-0x0000000000000000-mapping.dmp

Download
memory/4364-208-0x0000000000000000-mapping.dmp

Download
memory/4436-218-0x0000000000000000-mapping.dmp

Download
memory/4528-142-0x0000000000000000-mapping.dmp

Download
memory/4588-144-0x0000000000000000-mapping.dmp

Download
memory/4616-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4616-147-0x0000000000000000-mapping.dmp

Download
memory/4728-179-0x0000000000000000-mapping.dmp

Download
memory/4732-204-0x0000000000000000-mapping.dmp

Download
memory/4756-196-0x0000000000000000-mapping.dmp

Download
memory/4792-195-0x0000000000000000-mapping.dmp

Download
memory/4808-149-0x0000000000000000-mapping.dmp

Download
memory/4820-201-0x0000000000000000-mapping.dmp

Download
memory/4828-202-0x0000000000000000-mapping.dmp

Download
memory/4964-154-0x0000000000000000-mapping.dmp

Download
memory/5012-165-0x0000000000000000-mapping.dmp

Download
memory/5036-169-0x0000000000000000-mapping.dmp

Download
memory/5056-168-0x0000000000000000-mapping.dmp

Download
memory/5068-141-0x0000000000000000-mapping.dmp

Download