3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe = "0"	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe = "0"	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4500	powershell.exe
4500	powershell.exe
3132	msedge.exe
3132	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
2260	identity_helper.exe
2260	identity_helper.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4500	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	87
PID 3948 wrote to memory of 4500	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	87
PID 3948 wrote to memory of 4500	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	87
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 3948 wrote to memory of 1664	3948	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe	89
PID 1664 wrote to memory of 1592	1664	ngen.exe	94
PID 1664 wrote to memory of 1592	1664	ngen.exe	94
PID 1592 wrote to memory of 3128	1592	msedge.exe	95
PID 1592 wrote to memory of 3128	1592	msedge.exe	95
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3984	1592	msedge.exe	96
PID 1592 wrote to memory of 3132	1592	msedge.exe	97
PID 1592 wrote to memory of 3132	1592	msedge.exe	97
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98
PID 1592 wrote to memory of 3140	1592	msedge.exe	98

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe

C:\Users\Admin\AppData\Local\Temp\3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe
"C:\Users\Admin\AppData\Local\Temp\3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3193a9adfee944d12a081b3fd327d714aa8a3aece4cbf8bfbfd415d9f0574975.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8da9546f8,0x7ff8da954708,0x7ff8da954718
      4⤵
      PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:3884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
      4⤵
      PID:1828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
      4⤵
      PID:1556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
      4⤵
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
      4⤵
      PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      PID:1244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,10896479870845953482,726679693554289352,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4664 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8da9546f8,0x7ff8da954708,0x7ff8da954718
      4⤵
      PID:1240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery