dcrat | 24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	5NS8xD0.exe

Executes dropped EXE 15 IoCs

pid	Process
4104	Rw4YT03.exe
668	nf4rn60.exe
1396	FJ4OU94.exe
4292	kK0yG24.exe
2968	qP5Qb44.exe
4264	1rs14bk1.exe
1812	2Ro9432.exe
508	3Hm09Ej.exe
3352	msedge.exe
3044	5NS8xD0.exe
5064	explothe.exe
2236	6dg6UC8.exe
4252	7ct2pQ14.exe
2500	explothe.exe
724	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WEXTRACT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rw4YT03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nf4rn60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FJ4OU94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kK0yG24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	qP5Qb44.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 5016	4264	1rs14bk1.exe	98
PID 1812 set thread context of 3564	1812	2Ro9432.exe	103
PID 3352 set thread context of 2932	3352	msedge.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2752	3564	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4376	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
508	3Hm09Ej.exe
508	3Hm09Ej.exe
5016	AppLaunch.exe
5016	AppLaunch.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
508	3Hm09Ej.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	AppLaunch.exe
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4104	4652	WEXTRACT.exe	91
PID 4652 wrote to memory of 4104	4652	WEXTRACT.exe	91
PID 4652 wrote to memory of 4104	4652	WEXTRACT.exe	91
PID 4104 wrote to memory of 668	4104	Rw4YT03.exe	92
PID 4104 wrote to memory of 668	4104	Rw4YT03.exe	92
PID 4104 wrote to memory of 668	4104	Rw4YT03.exe	92
PID 668 wrote to memory of 1396	668	nf4rn60.exe	93
PID 668 wrote to memory of 1396	668	nf4rn60.exe	93
PID 668 wrote to memory of 1396	668	nf4rn60.exe	93
PID 1396 wrote to memory of 4292	1396	FJ4OU94.exe	94
PID 1396 wrote to memory of 4292	1396	FJ4OU94.exe	94
PID 1396 wrote to memory of 4292	1396	FJ4OU94.exe	94
PID 4292 wrote to memory of 2968	4292	kK0yG24.exe	95
PID 4292 wrote to memory of 2968	4292	kK0yG24.exe	95
PID 4292 wrote to memory of 2968	4292	kK0yG24.exe	95
PID 2968 wrote to memory of 4264	2968	qP5Qb44.exe	96
PID 2968 wrote to memory of 4264	2968	qP5Qb44.exe	96
PID 2968 wrote to memory of 4264	2968	qP5Qb44.exe	96
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 4264 wrote to memory of 5016	4264	1rs14bk1.exe	98
PID 2968 wrote to memory of 1812	2968	qP5Qb44.exe	97
PID 2968 wrote to memory of 1812	2968	qP5Qb44.exe	97
PID 2968 wrote to memory of 1812	2968	qP5Qb44.exe	97
PID 1812 wrote to memory of 308	1812	2Ro9432.exe	104
PID 1812 wrote to memory of 308	1812	2Ro9432.exe	104
PID 1812 wrote to memory of 308	1812	2Ro9432.exe	104
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 1812 wrote to memory of 3564	1812	2Ro9432.exe	103
PID 4292 wrote to memory of 508	4292	kK0yG24.exe	99
PID 4292 wrote to memory of 508	4292	kK0yG24.exe	99
PID 4292 wrote to memory of 508	4292	kK0yG24.exe	99
PID 1396 wrote to memory of 3352	1396	FJ4OU94.exe	124
PID 1396 wrote to memory of 3352	1396	FJ4OU94.exe	124
PID 1396 wrote to memory of 3352	1396	FJ4OU94.exe	124
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 3352 wrote to memory of 2932	3352	msedge.exe	106
PID 668 wrote to memory of 3044	668	nf4rn60.exe	107
PID 668 wrote to memory of 3044	668	nf4rn60.exe	107
PID 668 wrote to memory of 3044	668	nf4rn60.exe	107
PID 3044 wrote to memory of 5064	3044	5NS8xD0.exe	173
PID 3044 wrote to memory of 5064	3044	5NS8xD0.exe	173
PID 3044 wrote to memory of 5064	3044	5NS8xD0.exe	173
PID 4104 wrote to memory of 2236	4104	Rw4YT03.exe	108
PID 4104 wrote to memory of 2236	4104	Rw4YT03.exe	108

C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe
"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:308
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe
        5⤵
        
        PID:3352
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe
    3⤵
    - Executes dropped EXE
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe
  2⤵
  - Executes dropped EXE
  PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 3564
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 540
1⤵
- Program crash
PID:2752

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0CD.tmp\D0CE.tmp\D0CF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe"
1⤵
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12272757063005439351,5451442381693845648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12272757063005439351,5451442381693845648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:5664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
    3⤵
    PID:6604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:6668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:6836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    PID:6872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:7040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:5704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
    3⤵
    PID:6408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
    3⤵
    PID:6156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:5628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    PID:5140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
    3⤵
    PID:5132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:5748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8820 /prefetch:1
    3⤵
    PID:6888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8812 /prefetch:1
    3⤵
    PID:6488
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9680 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9680 /prefetch:8
    3⤵
    PID:6152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9360 /prefetch:1
    3⤵
    PID:6108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
    3⤵
    PID:3748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9624 /prefetch:8
    3⤵
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8340 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,10484628546618252406,9994088220017825682,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:2
    3⤵
    PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:1744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14244173103138695208,11761180616663191087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14244173103138695208,11761180616663191087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
  2⤵
  PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,82410784221153646,11871619342890837185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  PID:2676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,8420389059218441439,16850482228196356959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
  2⤵
  PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3994075708432015484,1046739946491234389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9991660207106694833,7830641278837141484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:6412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  PID:6864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:7116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  PID:1716

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
1⤵
PID:6956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
1⤵
PID:7124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbb16f46f8,0x7ffbb16f4708,0x7ffbb16f4718
1⤵
PID:7048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6404

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
1⤵
PID:3716

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
1⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
1⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
1⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
1⤵
- Creates scheduled task(s)
PID:4376

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery