privateloader | 5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe
Size

1.5MB
MD5

a5f2d196defbc17bc990ef7375d1e2da
SHA1

68f8bd12b67358e9bdc3ba84f056c411a47c48bd
SHA256

5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2
SHA512

569ada391d90c284233c4846ef29e8bf4730b9aef7cde9b937d66baea7341fb73e9519e837e5f8a7a331824e580b3c2445439ceb03293ed5dbdaaba5b22c61f2
SSDEEP

24576:fyoF07TnV3GXc9KXeFDG8+WPwVxbleripDJwDOFASQ4PirRyPzEGmY:qy03nVl5PPgNlerctwqFPQ4qrRqEl

Score

10^/10

privateloader risepro smokeloader backdoor loader persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	7IN7FZ32.exe

Executes dropped EXE 4 IoCs

pid	Process
1692	Bx6hD92.exe
2328	1wy75vG2.exe
7016	4NB208cq.exe
6508	7IN7FZ32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bx6hD92.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	7IN7FZ32.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000231da-12.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	7IN7FZ32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	7IN7FZ32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	7IN7FZ32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	7IN7FZ32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4NB208cq.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4NB208cq.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4NB208cq.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6640	schtasks.exe
5688	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
1296	msedge.exe
1296	msedge.exe
1728	msedge.exe
1728	msedge.exe
5268	msedge.exe
5268	msedge.exe
5636	msedge.exe
5636	msedge.exe
6112	msedge.exe
6112	msedge.exe
6588	msedge.exe
6588	msedge.exe
7016	4NB208cq.exe
7016	4NB208cq.exe
3176	Process not Found
3176	Process not Found
6488	identity_helper.exe
6488	identity_helper.exe
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
7016	4NB208cq.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3176	Process not Found
Token: SeCreatePagefilePrivilege	3176	Process not Found
Token: SeShutdownPrivilege	3176	Process not Found
Token: SeCreatePagefilePrivilege	3176	Process not Found
Token: SeShutdownPrivilege	3176	Process not Found
Token: SeCreatePagefilePrivilege	3176	Process not Found
Token: SeShutdownPrivilege	3176	Process not Found
Token: SeCreatePagefilePrivilege	3176	Process not Found
Token: SeShutdownPrivilege	3176	Process not Found
Token: SeCreatePagefilePrivilege	3176	Process not Found

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2328	1wy75vG2.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found
3176	Process not Found

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2328	1wy75vG2.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
2328	1wy75vG2.exe
3176	Process not Found
3176	Process not Found
3176	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1692	1256	5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe	89
PID 1256 wrote to memory of 1692	1256	5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe	89
PID 1256 wrote to memory of 1692	1256	5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe	89
PID 1692 wrote to memory of 2328	1692	Bx6hD92.exe	90
PID 1692 wrote to memory of 2328	1692	Bx6hD92.exe	90
PID 1692 wrote to memory of 2328	1692	Bx6hD92.exe	90
PID 2328 wrote to memory of 1728	2328	1wy75vG2.exe	94
PID 2328 wrote to memory of 1728	2328	1wy75vG2.exe	94
PID 2328 wrote to memory of 2184	2328	1wy75vG2.exe	96
PID 2328 wrote to memory of 2184	2328	1wy75vG2.exe	96
PID 1728 wrote to memory of 4232	1728	msedge.exe	97
PID 1728 wrote to memory of 4232	1728	msedge.exe	97
PID 2184 wrote to memory of 3292	2184	msedge.exe	98
PID 2184 wrote to memory of 3292	2184	msedge.exe	98
PID 2328 wrote to memory of 848	2328	1wy75vG2.exe	99
PID 2328 wrote to memory of 848	2328	1wy75vG2.exe	99
PID 848 wrote to memory of 1612	848	msedge.exe	100
PID 848 wrote to memory of 1612	848	msedge.exe	100
PID 2328 wrote to memory of 2744	2328	1wy75vG2.exe	101
PID 2328 wrote to memory of 2744	2328	1wy75vG2.exe	101
PID 2744 wrote to memory of 4812	2744	msedge.exe	102
PID 2744 wrote to memory of 4812	2744	msedge.exe	102
PID 2328 wrote to memory of 3236	2328	1wy75vG2.exe	103
PID 2328 wrote to memory of 3236	2328	1wy75vG2.exe	103
PID 3236 wrote to memory of 3656	3236	msedge.exe	104
PID 3236 wrote to memory of 3656	3236	msedge.exe	104
PID 2328 wrote to memory of 3936	2328	1wy75vG2.exe	105
PID 2328 wrote to memory of 3936	2328	1wy75vG2.exe	105
PID 3936 wrote to memory of 424	3936	msedge.exe	106
PID 3936 wrote to memory of 424	3936	msedge.exe	106
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110
PID 1728 wrote to memory of 2140	1728	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe
"C:\Users\Admin\AppData\Local\Temp\5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bx6hD92.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bx6hD92.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1wy75vG2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1wy75vG2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:4232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2
        5⤵
        
        PID:2140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
        5⤵
        
        PID:232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:5980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
        5⤵
        
        PID:5472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
        5⤵
        
        PID:6188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
        5⤵
        
        PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
        5⤵
        
        PID:6512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
        5⤵
        
        PID:6736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        5⤵
        
        PID:6920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        5⤵
        
        PID:7052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
        5⤵
        
        PID:7028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
        5⤵
        
        PID:1076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1
        5⤵
        
        PID:4284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
        5⤵
        
        PID:1140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
        5⤵
        
        PID:4940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
        5⤵
        
        PID:5804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
        5⤵
        
        PID:5792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
        5⤵
        
        PID:4124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
        5⤵
        
        PID:5244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8344 /prefetch:2
        5⤵
        
        PID:1904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
        5⤵
        
        PID:1212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:3292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,17025690643760989129,1411174540545396376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,17025690643760989129,1411174540545396376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        5⤵
        
        PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16819794862981006312,13280893650261723418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16819794862981006312,13280893650261723418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        5⤵
        
        PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:4812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8484537144312331127,9095308673671198888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:5144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8484537144312331127,9095308673671198888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4302751548187538015,2853244566311934591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11811535930178237432,5893724216950123838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:6084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:5136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:6384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c434718
        5⤵
        
        PID:6960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NB208cq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NB208cq.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:7016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN7FZ32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN7FZ32.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:6508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1d2202f74b448801d3f092bd89c1ced

SHA1
7dea3fdc9b375de768c508da42e468c0f974dd33

SHA256
6f15e3e1d666d9d7534198b2c0b03a5c710b0ffd6049b4d121e2ace2c476d32e

SHA512
adfe22f0ff9bf03ef14013194e2497f7d8c7631f741320611c0c77ea02887844edfab338c9b66f5afce1994f2364066641c9991eb2cfb1eb6d9a0143a50cd410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f0cdba3e639a70bf26cf85d538ce1a8

SHA1
b457faa0d6c55d56d61167674f734f54c978639b

SHA256
c1e48c2dfaeb607efc713e1b5c01d1ee8a9491d8f3a2a5f4f3887e6c1f8c2f63

SHA512
3c270fc58170c37f51427aac2d3092ddbbc17832556718612cebb0c32c04e7e3b7e157969d458a4b9c3e8bf781c23489319338960cefb5cf530673f2b8f81609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
589bd8334453a3bb9975aac38e252818

SHA1
79471eae37053dd79cfe6bd3e5498df1b9c95d79

SHA256
a21db491c61ca07f2cd766c5ec5cffb719cc92b082c251dac3f8a09410be2625

SHA512
34780ad1ea8e42ce362dafd4ed2f19df0f59529a6ff52bd02e164cf3222a826fcc6736550cca5bc0b2856b8992961f48e1a104ded59e63009eb303073e7c3339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87b0cca832a27434cbc28e38797969e0

SHA1
13ee7a4f04d297088399e9943194ed4d234204b4

SHA256
28938d42def3334295d9500af8b9ee45318880905aaf4731fa5d0bb2584e1aa2

SHA512
362443b53055a715a688af0a5c3bc619c065fea539a5002f326fe817760814139a323433a47fd4f80d616f1cf04a8050ab4e0696426f960245dff636c3d09653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
1c83f7260fd55ec8147eb827a2fc1bcf

SHA1
66d7356f47d8ba082343bdcc78f906c3a7a4bbe3

SHA256
69b04d13b7b848bfeb975388698d122669849ba130195264e5eb8c7f6909e863

SHA512
fc18a35bec54b55d2f09c074330d7e17e8fc6763bceb41a2c2914abe4727d0b79f1cf32a533be0dd0d3f08c2e240bbf57c710bbaafae4a0356a45b30db688182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
b55f9a7ec69142866e57863828a294cb

SHA1
a720de2d00550dd01b79fc0f5efc42ff495a0e7d

SHA256
0e82f71b3368a0128eb792b948da2095526b3d60bfabfe83e9486d40599d530d

SHA512
e7bb4a9d4d7b11d1c7fbbd2972c3d5b870c779dabb7c582e217ae6cc903156da77d3f1d4ee308bee20b8b62b1218e4a35d8817d1cba6701e00b4d1ce5137dd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
766256462cc6a47197e55d68abe67ee0

SHA1
8a48b2d65ccbe726c7e848ee36a73fda61912126

SHA256
5475b30564a8294b225e899dcb35f328f9835aae6da424a3982eac4feac9edd0

SHA512
330f1d1234bc32fd5600897946b879a766c5cf9eb0c94c63b94bf0a3f2388b786786add21ade4208ecea6adc2895589cf74c968f90e72da24f830efb5e7ce81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
44ae196ffba323bea0b4c2add619e575

SHA1
b0c7ba14bd833e7ee20df666f1e8a52cc1b92aa2

SHA256
762511f31cb51cbccb295bdf3a38769fa018c91460406b4c3b6ddf63216e6776

SHA512
f8157cccec77983d1ed8f947db77915b9b80726225c064d603af3a089c1c5af840f6d92cf059f7a3e1608af436878aa0a6c80dc17f56d3dfc0be96d1680a43cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
933f7efecb3eab07411f23ada68e60d9

SHA1
3f7ed744f484214b56855e5cd4f64b2b5e00bce9

SHA256
73964d829c9f9a0d12977f0f990e1f4fbe08e17034a3fd5ae9c60d714dd6a1d4

SHA512
c625c75174ebda347380b5c4fc2f138d799a257a323bfc72ace3551159c80b2758c6e3d3fddde23a6de22f9fd8412269b590e2de04cbae7f6156ebbc73832cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
21d44a6c21f08fb4366daa9b4d1d0d53

SHA1
49e1aa208ba1fc1fbd20b7a6c38703bd0eb71c13

SHA256
ecc5b33b99a09dffd2d8f1114eb714dbdc1842a85c113b32826e66d1b5413215

SHA512
ef301bd819a592a2eddff11f0b3bf0993a3d914cd18964900cd1edda266c413ac4ffb84acc0a0653b6b4046e86d17fd633fc054ee16fba5ef6d3faaf911d91de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d4f9a852c4e03ac674cebf38db73e221

SHA1
b8719b91eb4726fd767add03027317190691606c

SHA256
45da746cea841a7b0968c35f75d3fac77e67deea6017a864b06ac0d406e58d1c

SHA512
89a283837a8e84ec55c33bf59352e7b597053f860e7e0769be0b21b659bab05c865613b351d65b0a67ab5e74f23baae774fdcdd4e564d851b67f07761bc05d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
d0d49f081f77f0457d3123dfc9e83255

SHA1
094817ea9a507fd514dba44fe52868e44995c5d3

SHA256
c0455996749532be40ac8975df2b1e3f371e52137617eeb564d1b73608bc85e8

SHA512
760bd64634e535bd390fb87c9358074144cd713414e7b269a4ddfee57d301511aff14a8b5d834574b330cec4dd04ae8a95e55b49922e882afd33feeecc065964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
29026f8c7fcf96dbf963c56a86d1fde8

SHA1
a5d2b837debf30d4b2fa13b03785ea676d5ff291

SHA256
fe15ee9aa140064d92086cb3594b8c40a5833e080d3029d6d35b5cc0b5af2be6

SHA512
8706714205ae9055f911d2102dedcd3669cb421d83a8da731b3fd8eefa28f3b48653120584c316b6acadbd538c9e2f969973f209f602f56865ce2c8ef5dd302f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
5ca090c63d9d264ccb5d4cdda15c72c2

SHA1
2d5541cb33d318678977e7e11796e54ed3a016a0

SHA256
1f6259b41de6f0d80f88b279b124aea802c98ec0b2fc30b647231e26f7374164

SHA512
6871b67eef1b64faa4450e61b3a4b9a3f532ccd567af30915fbcdc35077df7a9dde4f65d9f22a2cbff46b3905996a4c13a4dfc8c26532728a417d28dec4c7aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN7FZ32.exe

Filesize
1003KB

MD5
44cc01f972057820d7e1c3cb77cb64b7

SHA1
d935a3b7273935b9e8db1a0737c405ff0cbd4d09

SHA256
ca85ce37dc2a99f7a4f101c3acf49579afe2e2547ed70985490c34b12f450268

SHA512
101b1267645bb8e59cfc5f79ff12cb5ec911e4d49fd1d794513ed772c382733f17f0a6a344dc7f8644b2b93a5a4d9ac976765965f1120e97b817ab22b9acfd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bx6hD92.exe

Filesize
551KB

MD5
a9802852dcb1628e3e6dd189a90c58f3

SHA1
1f4c45b6e66110e4d2ebfa83c26d9deb88a9f8a6

SHA256
0d00c5992bfa1fc5f532c92a9a4acb7c8948da792252c8f595289927f22e5085

SHA512
4c8f1795a92e25dc48f4a70c125a605a13e2617a1335c1928fe4ef880a0cdb0fefeb09916f683e90db319a853c013befdbd9c40d5153561ccef1455e3fc9cb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1wy75vG2.exe

Filesize
898KB

MD5
9c7318490eb691f13187bd07f12b7a50

SHA1
ae629b05f8437e120e65d7741f54ba73aba04cf9

SHA256
5c1212988b5f75a875976e64254d7f023590fc78234ec2b2b361bce762f00c5d

SHA512
92039a8072cb5da24376f108235c7a3a6d31893b8a52e26578ac1329a0f9a4bd7bee6469f2261ad2f45351559c2132bb1d77f300600c1716deca724623caae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NB208cq.exe

Filesize
38KB

MD5
ac56fa7c561f8d04bfbfc7c6bf97a91b

SHA1
f2191fa70d141a00d28f3f4ed247ec5e8fb8a515

SHA256
62d6d6c66addc3293db9f580e15c0d3b1afbc39b6f75f7a7ee99a1916c19b1c6

SHA512
6b14a0d39fbeed306ba4f63297b8c990c308a22556f78f5ec56e63a5d2bd200d4e8857008d6cb263d35ac1ec73da4e394913d87c9ce45229ff203242371050ee

Download Submit
memory/3176-203-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/6508-221-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/6508-300-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/6508-212-0x0000000002810000-0x00000000029AB000-memory.dmp

Filesize
1.6MB

Download
memory/6508-312-0x0000000002810000-0x00000000029AB000-memory.dmp

Filesize
1.6MB

Download
memory/6508-314-0x0000000002570000-0x0000000002648000-memory.dmp

Filesize
864KB

Download
memory/6508-211-0x0000000002570000-0x0000000002648000-memory.dmp

Filesize
864KB

Download
memory/7016-204-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7016-166-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download