02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe
Size

642KB
MD5

3495f027cf0f5fc3e066f6d1e5ae17f6
SHA1

787b0eef35f80738a55247d6acd4d49a0f5d3f07
SHA256

d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70
SHA512

c8b9ccde6c7e26800badc673214b4a79871b528d2e02faa07458279155edd9171781d38db17da5fb623389be7ca5cb134f560b49d93b07c95a3a9a13ba37db26
SSDEEP

12288:XMr0y90J0NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6Nxb2jHV:nyEiaaewIsgCQGIgYDFb2j1

Score

7^/10

persistence

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral20/memory/6220-135-0x00000000022B0000-0x00000000022D0000-memory.dmp	net_reactor
behavioral20/memory/6220-142-0x0000000004F50000-0x0000000004F6E000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
4408	1yA11LA8.exe
6220	2mG9138.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral20/files/0x000800000002341c-5.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
5004	msedge.exe
5004	msedge.exe
232	msedge.exe
232	msedge.exe
4528	msedge.exe
4528	msedge.exe
5208	msedge.exe
5208	msedge.exe
5488	msedge.exe
5488	msedge.exe
3984	identity_helper.exe
3984	identity_helper.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6220	2mG9138.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4408	1yA11LA8.exe
4408	1yA11LA8.exe
4408	1yA11LA8.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4408	1yA11LA8.exe
4408	1yA11LA8.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4408	1yA11LA8.exe
4408	1yA11LA8.exe
4408	1yA11LA8.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4408	1yA11LA8.exe
4408	1yA11LA8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4408	1176	d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe	82
PID 1176 wrote to memory of 4408	1176	d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe	82
PID 1176 wrote to memory of 4408	1176	d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe	82
PID 4408 wrote to memory of 4528	4408	1yA11LA8.exe	83
PID 4408 wrote to memory of 4528	4408	1yA11LA8.exe	83
PID 4528 wrote to memory of 3152	4528	msedge.exe	85
PID 4528 wrote to memory of 3152	4528	msedge.exe	85
PID 4408 wrote to memory of 3392	4408	1yA11LA8.exe	86
PID 4408 wrote to memory of 3392	4408	1yA11LA8.exe	86
PID 3392 wrote to memory of 4796	3392	msedge.exe	87
PID 3392 wrote to memory of 4796	3392	msedge.exe	87
PID 4408 wrote to memory of 2604	4408	1yA11LA8.exe	88
PID 4408 wrote to memory of 2604	4408	1yA11LA8.exe	88
PID 2604 wrote to memory of 2568	2604	msedge.exe	89
PID 2604 wrote to memory of 2568	2604	msedge.exe	89
PID 4408 wrote to memory of 4108	4408	1yA11LA8.exe	90
PID 4408 wrote to memory of 4108	4408	1yA11LA8.exe	90
PID 4108 wrote to memory of 2512	4108	msedge.exe	91
PID 4108 wrote to memory of 2512	4108	msedge.exe	91
PID 4408 wrote to memory of 1340	4408	1yA11LA8.exe	92
PID 4408 wrote to memory of 1340	4408	1yA11LA8.exe	92
PID 1340 wrote to memory of 2620	1340	msedge.exe	93
PID 1340 wrote to memory of 2620	1340	msedge.exe	93
PID 4408 wrote to memory of 380	4408	1yA11LA8.exe	94
PID 4408 wrote to memory of 380	4408	1yA11LA8.exe	94
PID 380 wrote to memory of 824	380	msedge.exe	95
PID 380 wrote to memory of 824	380	msedge.exe	95
PID 4408 wrote to memory of 4456	4408	1yA11LA8.exe	96
PID 4408 wrote to memory of 4456	4408	1yA11LA8.exe	96
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97
PID 4528 wrote to memory of 4960	4528	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe
"C:\Users\Admin\AppData\Local\Temp\d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1yA11LA8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1yA11LA8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:2720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
      4⤵
      PID:6092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
      4⤵
      PID:5152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
      4⤵
      PID:6244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
      4⤵
      PID:6320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:6404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
      4⤵
      PID:6496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
      4⤵
      PID:6684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
      4⤵
      PID:6872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
      4⤵
      PID:7128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
      4⤵
      PID:6184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
      4⤵
      PID:6884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
      4⤵
      PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
      4⤵
      PID:3648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7800 /prefetch:1
      4⤵
      PID:5124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8300 /prefetch:8
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8300 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
      4⤵
      PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8744 /prefetch:8
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3799927749960293101,38267048274657130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5840 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16999623556377750148,17699289172644110367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16999623556377750148,17699289172644110367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,14180947133363024781,11493968941000887845,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,14180947133363024781,11493968941000887845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:2512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,628926132705339355,11083670394907584728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,628926132705339355,11083670394907584728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9285572306505644443,3392738455643116121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
    3⤵
    PID:4456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x154,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
    3⤵
    PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc8b5046f8,0x7ffc8b504708,0x7ffc8b504718
      4⤵
      PID:5816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mG9138.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mG9138.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9bb913eb-6108-4e16-9bd8-5ff1b7e8705e.tmp

Filesize
8KB

MD5
10d9f10f969f7920c1c2500251ff53a9

SHA1
8163bbf42ddbe98ff517de559ca6dd631dd239e4

SHA256
21ad812b36aec57b720a53616bcebdb3099efbf90a4cff9857aa5071b5eeafcf

SHA512
725145acb29348901ef929c620e96c0ad01e11078db7f055c94ff8f616c6820a2e6e2b7cb4e71200e1a4206d9ffb0d7e604992391680fb64ec272059a48e83a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
58dd5d3aaae703a67f013b868843658c

SHA1
4f5d5c8975b30edd616f03f492799e89de4bd7a9

SHA256
64dbb643206b24952204fed86ea5febfe3c7de26a93d5307751a7de6f2635db1

SHA512
416105a68247600be36c687e9ddee4d882fb84e3c8058ab027d33b815918b2a7c7e7e60261da9a98f4b12335bd5ae0dbf88da9dd0a6b152e905314d7a5112348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d7924a9fb9cd730bdd699382d72c98c7

SHA1
6e68149d098f5c958e15c2c21be88f28cac695c4

SHA256
7bc969c16aad849d7f9ee260440ba8829c7125958a11238c164075565132d41c

SHA512
2caf7eee5100eeda189e55fa1ccdcd4c47f09df5d34613b03bdc6326dc5e4892caebd8f9bf114255eed45fe8be8c0eeef20dcc55e6ef84a68f9bdc474a05303f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a5502ec16cdc96107792e1ad73015da8

SHA1
9f07f6a920bb1cc8634a3e79b8acce2acf6eb85b

SHA256
2acb15120f113300768815e5685b987085861fca48c32d08fbd0b1bb77b0ccd1

SHA512
6327df490ef603dd44d2f1c8c6cab34e9e2125903ba09283e0d2c0f0e66b0efeb82da79fc08b410cb51a97d9653213c99c000f218d838c5d523dcc09d3eb87eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1c8dbc68946de6169af63e822c36c634

SHA1
d0e5d335dde7895d14395cbd00ce34f10c9a471c

SHA256
7dfcb05b828c80ae7a853cbc189d5a65a8031506181bf80ee668c0b7926b10d8

SHA512
2f4555d4ed2f59d16b6ee9bcebecd0ffe2a40c829ede260950b891a95e1bc7779a7db653df7e97d73bc73888a20f115d4be5b2bd3e823079655c63cfda191448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9c0aab762b34c44aacf6b3d27601b20a

SHA1
91ab8032d8911d1d136aecbbc7d75b780ab4d25e

SHA256
420eecb496492f83b4b1b0146d8f3b35be8fa229bc20a954519d1698d1aa4df6

SHA512
f870fcf702241921099577170a2e80219554c6a5f1f0ad0a8d4d304415adb66d47dd02f7b7267aeab0d922c84dc409846994eadbd329abd202cdb610d197731a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb6448f377c6192f252c830f919c386c

SHA1
c94a7e2a89940e262d63574c906aca4e9ff6fcc9

SHA256
746f114594e8ed93f2a4eec9f2121a3d2a4e3b1a47365278038096ba2b23e003

SHA512
a25fcedc933917075ad462a4738341a343c3f8943cbd74a60479b4d2a06addafc4dd9ead842bf706307380bf65a5947fe31afa40ee7c07e7ad4a17a4ffa1d945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2b9d1e93c7bcd10b902f06965569c713

SHA1
57b251a323b2be7348dfaa1fbfb8031c12b0b65f

SHA256
d4add50ab278c13be64295b0d5328c11597028c9a729941430f3671ada69feca

SHA512
4af5e26ed5ade8841f0223fc65858d5801646a19dee6958e42e893df8f98180f85b1a22213afe359d3a9c9c1e41568a20d0c1b673cd880237a0425aeec3d2685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
9c5088cf2e2cc8a40b6f1da2a53ab595

SHA1
d1a94fb192a6bbe41138679b0d97fcf731451e81

SHA256
e8307bce528d6928765f578f0715c7468376725feb456c2224466863d4c3220e

SHA512
68f4ffac77fe2e9c7b184b6f2940439907a57e61a10e6b985914928f92d6152ea4cc6a3baafb5f05f301e63dc7639b2535ad8a466e747c684cadf796e7daf0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a51a80a4fd5beda06c5ecbe631a936a6

SHA1
c98f039f058f616c6096bb8d6e4b9d10be637101

SHA256
e914f1a03a376435b9c48e11467fec91a98b5f58d56a184c962a9189fa617211

SHA512
30de4befd4151ae72c9edc4527fb6634a6a30a3b7ae6a3a190af714b5af9505986ae9211a7e8ab1938dea3918e02b023277df557c00d7bb826ac2c740b369565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1ee37395b0f429cf1cf619e1fc4b36a0

SHA1
2d34cadcb6049c1f2abb6176cfee9a3142ca0d04

SHA256
2750140de7d6f4c4788aa70378facb00f254fadb733615f2f9e86a07deb05d62

SHA512
7ef36faf243768eaad7e83e292e47c10962d28da9758dc366c08514ae49cdb31c5c314b4d3515be2db55eb5f472d4a2252d27b6ce7731902dc9d92d2f5f68846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
551c090fb3fa0c256f7b2b12c60e6b33

SHA1
e38277ccf7350bd85b12aeff8b65556dcd4fda0c

SHA256
647ec3aaa1fd5155642849ff5322453360940a9298e09c54aac0136176beb54c

SHA512
0e1960858a114aca00e61c72f22c8b51878b0c410d283b60de3491b2e535b23e2d2d81e5c944a2bf86e69c7981c03f61fe23d82ad1fbb41079d729185a8977c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c18b.TMP

Filesize
48B

MD5
f7a1a9335a2b428a8599f75530e04e1d

SHA1
e98f2493aa859e54ef050167176b061802182400

SHA256
fc422ae111bf10311fd9e7f14f0681494325f1a5d9dcfcc3bda136f72989f40e

SHA512
5344b71d18e6094ca4e68a6a0e98685bd135748b9bcbe8ec0400c00e2bd4811ce9199b1df8b09815183e5509bdbe325e58d478f7c18358f54d375f8e1e0639ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7b386bd4d7aafe7215849996041860ec

SHA1
c3dc3047f002449977604879dabfd72156a43c9d

SHA256
674bec586a67e158ec86d7743d052d58ac3f8ef8cb2ea81e02b1324fc5208d60

SHA512
ede996c469d36d6580bf1d29a4a475f10b73ef726b6b59317e3ebcc01489d74b577aed8d80bd58d78a642a33c552d2a557f0f1861a285025ab8da941bdf5854e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a98fe13da79a20857d7f3f34fb205330

SHA1
e72be974248a46c1bb8fc694e946e04ea178c37b

SHA256
3d71ab80833a20679187aaa5aefa131a5d5dec4549fd71c769886438a2e06bc2

SHA512
66ecddd13468d261667ca312798ac86527796a76497eb44f47d6400d70e276e7f3f851f0defeba6597edf946b52da663fc073fbec1dccbbfdc5d30b69b7c6500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
47c0279335643e65ebf65b063c720b42

SHA1
2ef33eee814c437dedd7deae370dc92928b4f0e2

SHA256
d61822b67dedc205b99ccf7a37cb5ae0905bbc5bb57776f0f74acdce0e0df09b

SHA512
e4574e2ac74ec77cc4a42559bf2ab7b32d24c6e9ad3ca6b94aa45a258386ff68940df436b2086804ef4ced06944445e3062f4e9c7afd7b574b78c4112c9f96ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578c23.TMP

Filesize
3KB

MD5
d690c18cf82bcc2a6eee652d230bb65a

SHA1
518834e5209e66afaa503d60da66bd5d3dd90124

SHA256
d529c782efdd50ef1877b1400ce7cf93625436e633c71ecd5a17eb8425122481

SHA512
04234d148995dd3f1a37d8e30f42c6fe17d11ee88c75743fddedb110d00a370c6d6a3aee9f04e439ead9539455f611d21b1ebc34a71cc3feb09fb2ebddab1907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9d678b8ef4922b2efdde41b62376110f

SHA1
4a869cf6d3a748650f443b401df3e2598f14feda

SHA256
fdd0a05d1672f3382b6b0d2ba0c36ad369f7d1ec5f06dbf7b59f70156cb87185

SHA512
5a56f1588b653f583387a967af8d78c6094be5b224b4fb4570b5f41aaea219558f7fe2430c3a41d6b3b8fdc4813866ea891dfbdfc4ce64252bd0b8a16447e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4e27a07a2224cf760673510dc99a1c4a

SHA1
afea2645f4f1e2ca6952c47be9564870432960d1

SHA256
213f5aeb19766ddce6641ade58b7f0ad39ef33ae5ca4fcf2742d747428f17f62

SHA512
7ebc41d3d2fcb0ec40991ce49281b0fe96d4b4850a2280c84a781d2bfcb9a3f85ac812928a23d98b7eba34bb68a93b53a58e4b5f28e6453dfdc7be1d005b605b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2fc54b9d5b7dee0de815fb3340f96ac0

SHA1
390ef6d7e166ea4116ca2f854ef738c60ba98711

SHA256
72a9a343b051188a7b88ed4f1474a57f4745471d2ec144eaae6c9d2624aae745

SHA512
76435dc46657bd541db21b1e397b186733693022bec0ade1c49ebd254dea2bde9c38f37e6a9dd8e26fafcef141836814f83027542e2706403c804b5c945e5ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2105cd0cc1cf234972a0156aacbc46c1

SHA1
f9116b1cdeb99a036e39c40bf97cdcdcbd400d33

SHA256
41c21a0a393de698fe71af2325940d824b130ee94c4d5a46eec38f0833208949

SHA512
9788e4b1c073f8357cc0dc796403b2fe4d2cf291ec631812fbddef2e895cd9d77ee61db7b43fd9d8be8eaf46d0a01d608dec1f0f90e20f43dfeb9830972f04ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1yA11LA8.exe

Filesize
895KB

MD5
608c895ee1c60916f5ce8cfca430c62f

SHA1
4b5cd235b65f13ea86d00fd4cbd8e995b64bddf3

SHA256
c668ed683a26321a6769d9e91b0f35b39da584774e73fcefe913115cd9eb84ed

SHA512
4804de2f5aa5e3eadf88d6eee5bf379578c576c7cba31aac46c7e2c03a377d70e512ebcbd10c0f032b8f8803eaa89c4b0c0639417ceec178e266429e3a9057de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mG9138.exe

Filesize
189KB

MD5
f4af3a9bb5b128ea7f4a49016ae8de1f

SHA1
77e47932af41b3af5bfff73d2a4c9773dc224f0d

SHA256
195fa6ff08dd55ff8f112c0323885bc06e1d28ce38edae26cce1e33b23337ff1

SHA512
1067017da68040e8e1eab228773c37cba180731f8792462d94e1e52cc12eb63e5306b3ffbc1fb4f0047a9d29e8a060649b5914bb25ece9c2c37b75e143c50df2

Download Submit
memory/6220-141-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/6220-163-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/6220-135-0x00000000022B0000-0x00000000022D0000-memory.dmp

Filesize
128KB

Download
memory/6220-142-0x0000000004F50000-0x0000000004F6E000-memory.dmp

Filesize
120KB

Download