mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe
Size

781KB
MD5

d381ac0bf5b98cc768347eb22be18617
SHA1

2fc3368a9e9f62f87447d442adbc65755d201516
SHA256

c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168
SHA512

c4c363fe591c749328b589c8af0e9bded01638e6a9e4b400787daa2014c20e25be873f8c8e7dc63d4b8d3995364dbb0a2a14905c5b7f2db106b882c1f5f1a12a
SSDEEP

24576:vyIiN6d5UaeuIsKC/GdLYDcl4gf2M82ogZe:6sNet9EGW6jfogZ

Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/6720-186-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/6720-188-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/6720-190-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

dy7MF43.exe1Dv64HJ8.exe2Bt6580.exe7Mg71hN.exe

pid process

1480 dy7MF43.exe
1932 1Dv64HJ8.exe
6300 2Bt6580.exe
6848 7Mg71hN.exe

pid	process
1480	dy7MF43.exe
1932	1Dv64HJ8.exe
6300	2Bt6580.exe
6848	7Mg71hN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exedy7MF43.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dy7MF43.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv64HJ8.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal
Suspicious use of SetThreadContext 1 IoCs

Processes:

2Bt6580.exe

description pid process target process

PID 6300 set thread context of 6720 6300 2Bt6580.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 6300 set thread context of 6720	6300	2Bt6580.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7Mg71hN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Mg71hN.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Mg71hN.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Mg71hN.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2116	msedge.exe
2116	msedge.exe
3976	msedge.exe
3976	msedge.exe
2196	msedge.exe
2196	msedge.exe
5260	msedge.exe
5260	msedge.exe
5308	msedge.exe
5308	msedge.exe
6100	msedge.exe
6100	msedge.exe
6856	identity_helper.exe
6856	identity_helper.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

1Dv64HJ8.exemsedge.exe

pid	process
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
1932	1Dv64HJ8.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

1Dv64HJ8.exemsedge.exe

pid	process
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
1932	1Dv64HJ8.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
1932	1Dv64HJ8.exe
1932	1Dv64HJ8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exedy7MF43.exe1Dv64HJ8.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3420 wrote to memory of 1480	3420	c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe	dy7MF43.exe
PID 3420 wrote to memory of 1480	3420	c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe	dy7MF43.exe
PID 3420 wrote to memory of 1480	3420	c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe	dy7MF43.exe
PID 1480 wrote to memory of 1932	1480	dy7MF43.exe	1Dv64HJ8.exe
PID 1480 wrote to memory of 1932	1480	dy7MF43.exe	1Dv64HJ8.exe
PID 1480 wrote to memory of 1932	1480	dy7MF43.exe	1Dv64HJ8.exe
PID 1932 wrote to memory of 4016	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 4016	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 2196	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 2196	1932	1Dv64HJ8.exe	msedge.exe
PID 4016 wrote to memory of 4864	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4864	4016	msedge.exe	msedge.exe
PID 2196 wrote to memory of 2144	2196	msedge.exe	msedge.exe
PID 2196 wrote to memory of 2144	2196	msedge.exe	msedge.exe
PID 1932 wrote to memory of 5008	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 5008	1932	1Dv64HJ8.exe	msedge.exe
PID 5008 wrote to memory of 4492	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4492	5008	msedge.exe	msedge.exe
PID 1932 wrote to memory of 744	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 744	1932	1Dv64HJ8.exe	msedge.exe
PID 744 wrote to memory of 3440	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 3440	744	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4280	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 4280	1932	1Dv64HJ8.exe	msedge.exe
PID 4280 wrote to memory of 1232	4280	msedge.exe	msedge.exe
PID 4280 wrote to memory of 1232	4280	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3156	1932	1Dv64HJ8.exe	msedge.exe
PID 1932 wrote to memory of 3156	1932	1Dv64HJ8.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1784	4016	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe
"C:\Users\Admin\AppData\Local\Temp\c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dy7MF43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dy7MF43.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv64HJ8.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv64HJ8.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6546684516077269438,15217889788250025887,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
5⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6546684516077269438,15217889788250025887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
5⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
5⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
5⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
5⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
5⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
5⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
5⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
5⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
5⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
5⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
5⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
5⤵
PID:6180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
5⤵
PID:6352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
5⤵
PID:6360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
5⤵
PID:6568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
5⤵
PID:6948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
5⤵
PID:7032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
5⤵
PID:6848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
5⤵
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7660 /prefetch:8
5⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7660 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
5⤵
PID:6224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7844 /prefetch:1
5⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
5⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8280 /prefetch:1
5⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
5⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
5⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 /prefetch:8
5⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
5⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3309356312043569102,12791751259214917910,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,16200475605471120420,6576714961784631441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,2387238009748714161,6115763238735886048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8525801773314577640,7289913877301870797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:6228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8d7ff46f8,0x7ff8d7ff4708,0x7ff8d7ff4718
5⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bt6580.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bt6580.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Mg71hN.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Mg71hN.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
72KB

MD5
fb61978b469612f4e00837e696bc6e46

SHA1
2a88c162600429743c7377f3cd776474a5241975

SHA256
b0cb6f2048283e33a7594f92e7f57eac02a6361ffcdedc99ab99c344e11efbdf

SHA512
64049519475d9ab99627279512ba5e52c24760760291ed3ff9d9f2fdb8398e21d51994888bc3301b2a158bb240ede65f157b15d33f1efc256c362bc743ca4ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
45794655d62c9a29e33867b4453a20e7

SHA1
09920712cef31b54b13b34aa6a1486f9fe304cdf

SHA256
b56524f7351583f48a561ddd16369343b1392b080343e9ff96d08cedb8d5aeb4

SHA512
ddc467cd12a3f1ff82f3f86a0b77e478cd3974db31b1144bf889572bd89aee66d0e9112be59ba265cecaa9b238a935451dd8fd71ef8fea66036b51c3db0f0088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9c9af008c3e5ccc7dcf48b61cf6b4953

SHA1
e90fcf608447d92af5e179d95032577117fe8404

SHA256
c4e34d3c2b8cdb8e662cae66a6231500acb3b1636da4ff9b30458959c20037f3

SHA512
a8a98ce43402887b332bf7dc32b1ee0a740e54464a59127d9443d57167bda4c8c9317bee2b5ed29436bf04c4df0f733473740ff616e6ab6cfbf875223bdeb0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
26b5d264dfe47b08f0384929f3e26305

SHA1
c7c4bd63fe35cb1326dd7ba4630ee3d61418c100

SHA256
bde6412ad3a736f8f2820b41233fe16060c67fb76fc58974fb6ba2e3cdcd1d66

SHA512
cdd7f06acae34bfdecc45ccc4f7973ffb79a642940058eafe87205e5f98ba6ee429ecaf7548edabcf9f6ea8faf79b32f9cc74d53b8b925b2482d3a875f88b3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f0fe04b65145c40f44a7ebc43f9eadac

SHA1
b81efb25c753901d968e1ca098e72de543a1ac77

SHA256
3b38771545f3d054fcde28e22dc6762c76290a0d55a00e2707478dd3b5cbe511

SHA512
0e84626ce4399bb34d47f58b1630e37eebfc9714c402edd2ec596b7d5628055e7d89fc1e56a762c536913b2ea5eca1368538dbfb73d7751205d687f505f11f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd8dea3447142ae441afe54ec90b7a1f

SHA1
f8f0135919142d4dcf1b13a8bef54372c9f7f374

SHA256
9dcdbf890a7ceb054d1778b1652f858ffb9938321810fc9a8637bdd1cbcdb587

SHA512
f2ef9b45ad84b13ac234dcbc70910d8e3b44e90b59340eb4b97cdb30abcc15a02bfc2471e512619ef4f9d6cddb086f8d41bae9fd38d52c5248b96ec3da6a7212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2cfafd249117948d3c5b730786e72bd6

SHA1
b700b324765b7caace87a4f963968faaa08a15ce

SHA256
c1ae5bb8f55d0828c73112d2d8c45b458ae085964fb9b24604f0ae0f1c7d81ba

SHA512
d0e22ba8005cd5463b3ad4a4041531f2489ec636fb00cd7762bb753f22777dfae419b137cb387b4bfc1ebe7ec7708cde69f96bd76c93b881cf0367c1a05cb27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9f4257fb1a3d27d05d5794ed2068a5e4

SHA1
b840ce7657dce4a35c876d3f181a1ac43153114a

SHA256
8c855844d2361d5b4fce1090dfcd7bd2c8c65f4f146f5720a4016c2ecb0d0c40

SHA512
b7036ce62aaafab7b71fc35b0d4aaaf7140f8d93fe7f4b6ed7b60aeb3dd0feb96fee74dc6940c8111b91126b4a97c6a20e4cee5cc835def1dade8654eae09fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
8d954a35a6daa22ba1621b8c953954e7

SHA1
82b58005c707cc2d11f5d080290a3f496a631314

SHA256
4e704496e341ca6383bef2359e8e0415b3523aa4edc81ae7c690f89f6225fb63

SHA512
79d1e7ecc39f92b1096a37f4ad62bfdd62fb7e52dbbcfe9eb2fbc8cd1709b4448bc38e71d17a146a62546548b0bd668ee28adb7a73c8072e7e7761463fb44e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
d605b67a39e06d2aead0465189068391

SHA1
49c4ba7133ac921e5a588177d778794b5394bc82

SHA256
a2a9e6d9af659120ef981cabfc3980c4367f5bd0d8e96eccff31dc7430b1d168

SHA512
d871558d016454ef108759b114a1f06308dd38ff73ad803e7e14c81129193698913af7eef7ba23becfcb451687043661118bd1f9a021800c8e10e92f7d454a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ee84a8166ee51f97d225d883c7864fec

SHA1
656ba8a0be996320ddd5ee62efbf1eb079e9e2c3

SHA256
ddbab8e5ced4fac73f875e4b8b2f1b0666a6cb561284c76c148a42b3259def9b

SHA512
82bf6c2a6a9f9f15cfa97850a1236e7479c68c3f2af23b9413b3f075427af58492984ef43bf17dc89ee949af33c3e632b1c23fe0c123787b804aa6101976360b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6473a6413e16fbd4fffca3348443936b

SHA1
9f69478c6864027c0b7e6573c5537c2e87643892

SHA256
76c034bae36b1a1d7df28d23b4a098e76c8c05165daa6a5dd289a6da6c6958bd

SHA512
6334bcdc43658c7b2d65b263aaf4c0b8a3308f2d59b551b04301e1ce2108c1229a395b125014689db1402c41607b7de277630aff22e18ad9c46182379e00bcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e4a3.TMP

Filesize
48B

MD5
20ea08c8f8a48105eed8a03633558b9d

SHA1
5e924acbbb90553fc1fab38db7440071a4585ea5

SHA256
57c8c9fdf180ff2f1b56228af633a3c1f7897ce93910b16e991785bfba71ee51

SHA512
6b2bd8fecaaa6e53e278d4f07e3bffd57cd7f465289b3d629331aa3f9dd401ad1586f8e66af06ced202fde0aa3c12df790de51d1714dc86c821dc6ad45117eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
eb53b2b1467037c00e21f15df45dfb4e

SHA1
84ff9b027cc0e660e79f2ecf119114c0a871e658

SHA256
0d942955b22a0b60063cdeb2f7d7ded416243fe840735cd2827339172963e06a

SHA512
82027ef5e4cce7c1205662bb967d4bf4944669f54bd7388a512de6d6abf9fae4e7be87c7d151df4a825d607bc6462bbd37040ad2be05e8e818f6432df1e5c749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
fae33a40607b16c13d0fa770691fc1b4

SHA1
110b024f8afd3e1512173761fedf1fea293986d7

SHA256
0431f30d6414f1101b3cb2d6fb6f6b8f5b9c3a18ed212aa56687431c6e7a6eaf

SHA512
c864163763464eb4540639315267a035ef8e6d2fff8bf4f26baea2fda3b70f2c35ef5490e2e731ac604a32be0b6b8819b9afd329b9e66423f6669b695b70037a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
defd2c3db8c6a8d39c71fcd5229e2b98

SHA1
f48aeb786eb16b77ef1dd417e05329e7891a2b44

SHA256
05da56ca977e81b14dea1a90a779ddab669f047d6016edbf38907dcbfee514c2

SHA512
796dd8e3de8d64666f0069a06c127dbd5fa9a63453d6b5bfe3f65d1328cf5975917b1fd6f7fb256f46f225546b336469011ecd5d960bc037eac1fdcd6e25b782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579bd2.TMP

Filesize
2KB

MD5
db8d31d2739a81e2e7d954242dbb76b0

SHA1
347ef82b4921d01b30b95483fcc998d775e37472

SHA256
62868404081c98c39cb0b320c9c78e35ff1abf926812122e8c237e9cef301d6f

SHA512
8ccaae227cc337536541bf88cc2561ac2b647a50da9d73305acbb9cc398f3e03f8755c8834c193029fae730331b2b4d2b6cf821515966d60a4527c62b4967a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4f3b77fa05c141297bf9418f4dfe3148

SHA1
b6e5e4b7ff72efa3eeb719ebbfd444b2d911ceb7

SHA256
553ca038fa10c5d4f7437460661dce982908b891b1cad13dfd7e09563aa062f3

SHA512
7d55c2d1af290e7f3695c217c294201baf455d7a4f9606eb5321314c2e4972fffa021b6e794c77fdf3e75c42612a37e16916f0e86e65df539d4f50d015f6d972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba1554d9965284c602ecebac2e8217fa

SHA1
4b21fea7cf412467c35389c41eee5a0b09c1943a

SHA256
64b444c6b0a98bd03cb2568b6ca6df05c2ead7bb8c050db7f34c22ca2fc1187e

SHA512
3004aee768e2b6ae291b018b28e6ab1ee49c4b06319e1574cb127409c8dc69d49534c28ac833d6a183ba744aefe6fd4d84e99df2b82700214dd893bbc76a320c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2d811b1dc8203317a28cd5964f156287

SHA1
736903ebf56f6f3c309fcaff4ddf25283f2fe3ff

SHA256
2c91fe82dbef7a2c3622ad746ca90a4f129fe1a9c4f90c4eb11a193e223d76b9

SHA512
9cefdcb518a7b6717a01189f45938021485dedcc1cae6e5eebdb4f80ec4f8dd8256308a8ed088c120e90cfc297183b9756b5a3a5e4cb9ca07d0c5a7020eb8782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1a56721499135b3d43920b4e2cf44000

SHA1
8b26a1c1999610a8a466a19cf0f6e1305c6d7980

SHA256
70cebe14f97337d6a87f503ebd02461e40bdbe2f578f9751851b45c9cd5bbf2f

SHA512
fc614f8c3f3295c702629737872707cba31ce2db1c59483c788c110d8755471250d22a6e5f8ec92298dbba872f36f215ff02e33af11d2e3b5480cb807ad820bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1d0eb1e3aefd0a0c9d6502eb15e26f6a

SHA1
b995bf8d72583776febabe71405b9ad81ef8e89b

SHA256
66752647349ab6cffeaf57536d1a9aa2ae71293a092e9f67fb0e8531984f0111

SHA512
134ba5d5efa468522a04d9e9b68e9471bdd2d006857914bff0df23447f9da230696a190da71f37bfda3121753ad5c48a7d9c8858d6ffca0622ad84495c67b4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Mg71hN.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dy7MF43.exe

Filesize
656KB

MD5
7a2af50c0defb42bbc4ca9b27f07cfaa

SHA1
39df66ab586fc1e4a24a09187844e868500519b1

SHA256
2f82515c8577ba75b977f11728755c024e6c3a72f80d1dbb39762195c44b0919

SHA512
68b588c2311ccf6ec18153f44c650f2a98f790af3da441c47c047d95149de0e9c90838efeef613ae7d00490b7f5311dd91a9ffe136b870477945f14e2402d8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Dv64HJ8.exe

Filesize
895KB

MD5
d60361cdb76e53980d4073fc470b89f6

SHA1
578f8139b8070c962d00bf6f4d7444c4554a5277

SHA256
6507d9b5c1ff65b7a68302f9baa14828ffdfa38597a3a7723326237f8f859ecd

SHA512
0525f7f7e6fc605a2454ebab38f031966892bc5944ff5f03f3351b2ecbbec6eb2b5d7905916628767168d4eccf86bb576be856df50e6963d1adc9dac62156b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bt6580.exe

Filesize
276KB

MD5
6388d171313b848164f405dc3f7f79cd

SHA1
27eaddb12dea3065f72c2e6f146b24550cb3d986

SHA256
627bdf7a9650d45175723c9dd313ce63df6be286018d4e3f746c6ee42bad7e45

SHA512
6961e784720875763ec57c8d75cf57f9cc35a6f2a7ce64873c2546ea63a9197f4c1aac4e7cf68af5b0e4e2193c27a56109885741cba60a90b1c2b1aef8c92375

Download Submit
\??\pipe\LOCAL\crashpad_2196_OOHUFGDURXREBWFF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/6720-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6720-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6720-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6848-197-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6848-196-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download