smokeloader | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Size

758KB
MD5

5177f9d2842b74a2be7f5aba232faffd
SHA1

9b6c926c477183ff5682d2afe0cb62de976379c7
SHA256

3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63
SHA512

6fa2f49b55f799a8f82a8d520db344383f645c834291d731278a08e344309a9d7064ab6123e56d43a00fadbbd79694d85355b011a145aadc607137bc26befd15
SSDEEP

12288:YMrfy90krNR62zK5vnO9DfvHGmnqc3HJSo51S92qKytTWWzkyJyl:HyTNR61nO9DfvnV3prc9JNWoNJo

Score

10^/10

smokeloader backdoor paypal persistence phishing trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/5692-146-0x00000000025C0000-0x00000000025DC000-memory.dmp	net_reactor
behavioral1/memory/5692-148-0x0000000005090000-0x00000000050AA000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

Processes:

gV7DZ85.exe1Fj83nk1.exe2YD6343.exe4xE421HP.exe

pid process

2552 gV7DZ85.exe
4616 1Fj83nk1.exe
5692 2YD6343.exe
6164 4xE421HP.exe

pid	process
2552	gV7DZ85.exe
4616	1Fj83nk1.exe
5692	2YD6343.exe
6164	4xE421HP.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exegV7DZ85.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gV7DZ85.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fj83nk1.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4xE421HP.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4xE421HP.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4xE421HP.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4xE421HP.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2844	msedge.exe
2844	msedge.exe
2184	msedge.exe
2184	msedge.exe
1560	msedge.exe
1560	msedge.exe
5208	msedge.exe
5208	msedge.exe
5564	msedge.exe
5564	msedge.exe
5828	identity_helper.exe
5828	identity_helper.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

1Fj83nk1.exemsedge.exe

pid	process
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4616	1Fj83nk1.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

1Fj83nk1.exemsedge.exe

pid	process
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4616	1Fj83nk1.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4616	1Fj83nk1.exe
4616	1Fj83nk1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exegV7DZ85.exe1Fj83nk1.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 5028 wrote to memory of 2552	5028	3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe	gV7DZ85.exe
PID 5028 wrote to memory of 2552	5028	3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe	gV7DZ85.exe
PID 5028 wrote to memory of 2552	5028	3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe	gV7DZ85.exe
PID 2552 wrote to memory of 4616	2552	gV7DZ85.exe	1Fj83nk1.exe
PID 2552 wrote to memory of 4616	2552	gV7DZ85.exe	1Fj83nk1.exe
PID 2552 wrote to memory of 4616	2552	gV7DZ85.exe	1Fj83nk1.exe
PID 4616 wrote to memory of 1560	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 1560	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 1284	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 1284	4616	1Fj83nk1.exe	msedge.exe
PID 1560 wrote to memory of 1388	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 1388	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 4820	1284	msedge.exe	msedge.exe
PID 1284 wrote to memory of 4820	1284	msedge.exe	msedge.exe
PID 4616 wrote to memory of 4584	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 4584	4616	1Fj83nk1.exe	msedge.exe
PID 4584 wrote to memory of 3280	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 3280	4584	msedge.exe	msedge.exe
PID 4616 wrote to memory of 4696	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 4696	4616	1Fj83nk1.exe	msedge.exe
PID 4696 wrote to memory of 3104	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 3104	4696	msedge.exe	msedge.exe
PID 4616 wrote to memory of 1172	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 1172	4616	1Fj83nk1.exe	msedge.exe
PID 1172 wrote to memory of 4956	1172	msedge.exe	msedge.exe
PID 1172 wrote to memory of 4956	1172	msedge.exe	msedge.exe
PID 4616 wrote to memory of 4008	4616	1Fj83nk1.exe	msedge.exe
PID 4616 wrote to memory of 4008	4616	1Fj83nk1.exe	msedge.exe
PID 4008 wrote to memory of 4396	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 4396	4008	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1284 wrote to memory of 1984	1284	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4084	1560	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
"C:\Users\Admin\AppData\Local\Temp\3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gV7DZ85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gV7DZ85.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fj83nk1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fj83nk1.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
5⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
5⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
5⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
5⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
5⤵
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
5⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
5⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
5⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
5⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
5⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
5⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
5⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
5⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
5⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
5⤵
PID:6408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
5⤵
PID:6428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
5⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
5⤵
PID:6672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
5⤵
PID:6812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
5⤵
PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
5⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
5⤵
PID:6620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7996 /prefetch:8
5⤵
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7996 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
5⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
5⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
5⤵
PID:6736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7580 /prefetch:8
5⤵
PID:6720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
5⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2697445567285840614,17684011531171147171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x150,0x16c,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,831135374845942797,12277819521368271665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
5⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,831135374845942797,12277819521368271665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1383977905692981040,14131236593512543283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
4⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17707071221658004118,14257389228948937776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1354301806186112503,2664051771366378482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
4⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x88,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x148,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x124,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc74e946f8,0x7ffc74e94708,0x7ffc74e94718
5⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YD6343.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YD6343.exe
3⤵
- Executes dropped EXE
PID:5692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xE421HP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xE421HP.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
0cece93b11db7d167826898ca8fde45a

SHA1
19b545318cb017a575ad7c06f54bb4c4918e3093

SHA256
34cfc1eb1a43965945d8c4cf0193a997fc6af86e7af971521b430483fa09ad87

SHA512
7d181fc5d4d934af5f86d376009da97d697ec8fc78317db6e9234c8dfdf9480f8aef3d3c07fa6098035e345820e98c2a26a209083bc709c9fb08c72a657bc699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fffc47b32f94195408fdf302a1e730c8

SHA1
be719eac12d52b4d7e20e0dcd5a06a9a0b56382a

SHA256
31aadbc6c0017443ab9d9661f35e9b4611b76acb478e88d42d76c53788ce55ce

SHA512
83f16aa695e696817c81f3841a0373b8fce17e1e08d3075ba7ff8b21cf1a8224d0a3aefabef0436ae5fd04ba320be82f553fe468d45541f282ce1a679c71e781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_x.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c87b99f8c01063d54ca99cdd90c54c81

SHA1
6e80bdc7411619188adbaddac5e602c092f90f0b

SHA256
84e0e6d85568636bb26c14f19df7dd42e20e1e35fdd59ed78b2df46922e05bde

SHA512
f9743ade98864b406694cbcae6a4c9d309e6e5da6243fa148dfe13485466560b740c3495d5113d429ab5817ab3fc55c0276200fd0788b336f2bd111923e39583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d5023e8b8fcf88a4ba127ad82e923362

SHA1
7e41bc278e32c3a546ea157c78d5c3ec9f3025e4

SHA256
9731f18bca745e4bde83425d19c8ae161ab3d8ea70ccca89689610718655e28f

SHA512
975540ac14d1a68c134033f1a7c8af0cbf3d8346a75a4c7ee7466ad08bfad1f34ec9b63b3718c764a6134f992cc4ea81b133736a33bbddff8328613d65438ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6f986fd3729ccc1fd6459023c10c8fe3

SHA1
724b74ea8df1a4894e55658b333445c83ad13843

SHA256
5032f7fd41a7074648d541ded4be2285e88a2da655b8714b0211281927a6df71

SHA512
8400631ab08c04aece7246ca55eb595fd49d1d17976ba5c6146b899477e4b7ff5f0ffc78c83198ab71c7dfb4e98a0a88c5a19c6811f658994e97e21c158938b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1db90c770c66c3fdb76d8aef08eb8c2c

SHA1
fb933854954bcc36afc28c4950d122102fc337b6

SHA256
b075ff9aa3fce77ec0de2778f64c67f50a197dd6686ef4a70b969a22e2437121

SHA512
627c095046235ea55e0453ebf388da5384bf4c282455427399b1895b531502e1ddee4911ae8d5179d52f4791bb999e06c920b0b754be961a360d9f61a03c97fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d63d4ca7b94d6ef1f019af328c9bfab

SHA1
08841c94264f3166c28237a51536bd2e82ce8f17

SHA256
15aecea0fd4c2c928a0286fb0d3630501c6dc9cc7b072a1da2e872def13f0d51

SHA512
bf10f43504a7173d7f4d7e245b15dff0d266ed2cb31fd42a7c82ac518b6c5f7819cc4abe7104733fba5291df9fea3ef2ec25c3588d304cb325d75fe30f78395c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0019aca99379a174dc16179d574b961a

SHA1
d1e6986028e6dfa69b945731bc21c67b6502fd88

SHA256
c62758ec8a30ed18d33bbbfb9677e66b5b31d11c9c1fe2ecf437eb35ca11e17b

SHA512
fdd55be4f341966697b980a1895a8a2634bfec9e2a5c15d6ff46065b743eb9377d6c97ad5820a41fbb3a1807e82e624dcacbff316cbd101728e22a0632a4bab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
9bf6c87272218b2fc7ffd935f8d7f79e

SHA1
33acdca399218881032d5584a0bb9d812dee4cb4

SHA256
14e67c5ff4842a575d3420586bb65e2ddc6169a6be4297caec3e24772a75e251

SHA512
8c38e3e3ad78ce69805d1e17ece1b656a9410eb55073de82725f2a88374dbe6a07dcf62f85cfe81bd6ad83ab279f44f59621ee885c5bd4d2fd2694440038cc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
85d90bf9b2da3c47ca9bee235181c0ba

SHA1
a8f2534621f462adb736e1d529473fb994d66b31

SHA256
168614c824e410e5cd8fa9ea48869cd5c149f4dee0ca393b9e95e5a0ef0b5e2d

SHA512
f4cf784a540ea2610d4cf3643cf7b2137c11ee93b2686497aba2b0c2a7e41ba4744e82b2cc58ac957613b8c1c3c0449c911a2f87f60ba64a8997c486d988f594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
146B

MD5
349873b73c19d31b0ed4fc44a97f3352

SHA1
9a9eb862fb140c6a7639dc3a5aaeebadc4352430

SHA256
7d024b5b796a77c7cf852987db67d24b275491a08f04864c130856d8a925555e

SHA512
ce8dd380bae9f7d8e2e3ca1d7d7f75a1958a2b7c8fc986c98673a330ec871a56d39fde077d2043175cc11b41617a9b871e23e51e981886af47ae8e5a883063f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9cf2c8149521644479d4019ef2da8baa

SHA1
70e025c066006895abffc98ad5a8e2d3c6ad1f90

SHA256
0bfd7bdd7d78b8893f44c952ded1d84aa50d3871ce5a8f2ff42625d9f6d33bfc

SHA512
8608b97e27715e1cfae698f39602c1fa5e32172cc5309caf2c9b3562e8dda42043996e54836ca595ccd4278e79f2ca306f0611abba1c54d89adc58d1b066541d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580395.TMP

Filesize
48B

MD5
478ccba5c272847dc4efc0ad460c5eec

SHA1
bd4d406dc37816f16546f0bc51891ea3b0513328

SHA256
ba5e5ad841c893fc9b47cbb43fe5932e03134f8df2c9fa449ffc9222d6483c50

SHA512
97b3caf999eb1740f2e86b3d7b1c8331c1e77ef9613a9ad606c1e334d7f6999c8ad57d0ca5b15ee91392ca25d5e7ac198efd0060f9d8535b98920f5cc83e6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2dc0108709463ad1611e7a47c2a9216c

SHA1
dad804023ef3e723904b07d18939466f22847f59

SHA256
7d8495e616307ff73cfc684b9d60c17f3821e58c2e6a54679bd49b8a89245810

SHA512
e5fd37167f96f09ee154402c9cf39a6363d4e8eaa3026de5b464dc9768e703d62ec418feebda6ee9865119228940b92300aa28f54d97c9742d05e578e6609f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
59915fbd2dca8832f695a2e8fc0260ff

SHA1
ead86508f01b1319978a7e3d2ad975d8e34d2f01

SHA256
b2bba3fdf0ee5f5051aff1a158da6d81462d31ffab81770854bf82049a719d4d

SHA512
6e31a726a9f77b3b5f29217594b9238171facad1e1c06bc2dad954164675283d6a705b83cc58be71ea58fb797a6b0d4e5531315975ebde15a455842fbe1de795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4255c7e15deebcb2f40d848c408b893f

SHA1
c317a368cae8a7c83e397ad491684fadcd2b87c4

SHA256
0a66197010a97d341d3287823b7ec04cabfbaf055a92c6c21ff11a94da92c637

SHA512
c5eeb6b727ad2a3e4ae3de4444de82d9f8a7c95194fbda1a133ecf88538e3a10a05da6d1ccf722cf9d8ce9e756de5d53a8d29aa04384c56fe17f1b9adb0adacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
33a7dab5cc3ba015c979862f4ab20d7d

SHA1
a13e41131bd43a3908e32e3dcfa3d5fb5060b731

SHA256
05d29c6cf5bc96f62d906f69f85b4bbe5c909a30cde776c71883dfc92ef25d5e

SHA512
0996e6b50bf9b35b1ccd6fa5a03d86b6749414a7c80f70142fc469925d20fb76d4bb7a4f3fe525d8054c0cf8b0e1d6c5293f2a5eadf08840841b5bddde24f9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a345.TMP

Filesize
2KB

MD5
6bd2ca17ece75bd8a599333a5b1720b6

SHA1
57bd9bd5a5750d56ede2ff4ec4e55cf7f0bed388

SHA256
f95b3dc9c9a207547ddf4d67239cf7b921443a48e495a75dd45773a5b1874a45

SHA512
4d26abe81c36381643dc641577d6fce046a1074e3c9e22514995bc342ef2585020efc6ec479d5c791976942f158f4904124ce325e3b1bf18f6b77936f70b0b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\baebb5b2-69d4-4c5f-8946-2aecd97394db.tmp

Filesize
4KB

MD5
17a58c6e5f5c4e8d25c68995cb69019a

SHA1
05efd6d1b5bfa5e99dbf6b701cff09a43f758c14

SHA256
bda50129afb979db5e7a40090e413d37f61bd22db24eed7800a22e7a045f8a3d

SHA512
5d97ab530dcc750f0f30c065dfbffd780f295046f1e3280da9da9ba7bca2573c9792f06d52ff3a5a01dccff2ba3a0afccd3384f5e939359374f4514508089bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
383ffcba379466063dfac862ad05201c

SHA1
cc7f000871ab4008ac1f4cf04f6d32d4b3df4b0b

SHA256
fc1e9fff9721cd33d488fda8350483cf642c5c5e3c99aecad31bcf1e624a5793

SHA512
bd2737174c17eeb4f86ed60bb5b732ca83178dc526b844d321c439b447adce26ce1f9a3a08f89bea3e7d9d59bd164d61b0b50111e71f69bbbf7d2363644463ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab9a2092272d048b0c798bc0c9a2e500

SHA1
d9eb441087516a7980970d99b3462fdf599f73f8

SHA256
a67da565727ebfbb114bfe022b3f8609606c4d32ea5cfaba00b302995ef58c64

SHA512
080b33e609a784d9836fe793ed372bc49a600e534b270a9c687011b77062aea93a2ed2df9732237da46ae93b4f6dd49989bd81afd277bd48fafd963e00ee4494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0c5caa3a653f44ca7307302f0e14eca5

SHA1
0a5b2e00a0b3f0b913c83b066057e25d51ba2277

SHA256
1f9ee37db776a431f654464675e449490212a89f84560148ac33945230b71427

SHA512
88766d1c8c5496e43f19d588a6b813f9f508ced00cbec5c4691d1e2720e90a05836813490700f85a889a954fbad96eef7aea3b70543ae4b0f3b9fd1b2193792c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
db8e14bc6d0fb44f7d69becb4089a583

SHA1
402438d52ac16d57e6a423849cb6702ac94eddf8

SHA256
c3c95a0795b63e3c423a30028479e7dcdc5e822a08f3d72e4bc689a02c8edcc0

SHA512
d8c8a3f1fa89111aabceec3b1dcf474b98ea3bb3d507f53cbe887541e702744783692416b3243b7e0dd677d8c72c8649f81df40b67816336caad20598dfe04e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
68f447c702b0ed58d9beb0e8e911bb5a

SHA1
71efb9748e3c27023b54bd3f7e760d5e2aad9af1

SHA256
8900eca9a7e2c989be098220659fb6b46e43a13aad36fba422e1510fbd2e0f13

SHA512
106c32917922443bf6a5c1b1f145327ecc369e133db406e503a15cd46e1dcca53f0efb0082517344b8b8c48cc6c9a40b19d72fa5de4045aab696eb527e93b685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xE421HP.exe

Filesize
38KB

MD5
3f8fbca34f369412254dba6a5e568d06

SHA1
012a3b43dd88dd4240c838f66d24167ad495e2e8

SHA256
a6e75460353f930fe37074adaa5e317940b28cdf40a87493101c3149cbbe2bc2

SHA512
2a82371f69fbc3ad7e0ec6ad43dc47564ef42c0fc22da83bcd4127eb6bc5fe83c2f8d43df2ff6587da6ab66e1d858060fda8dd4b800d4fdafe70425b59bf5f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gV7DZ85.exe

Filesize
634KB

MD5
3e05dfccb1b88983cfb2c652c6973ea1

SHA1
eb7f4d4317f7d23b5f177c732da869d5c7bfb88d

SHA256
2cb56a18d5a233d3a83f79902a05814b3ac113a0d05d00ec863ae45315166387

SHA512
5df68fbf976d6218df6deb2eea273e947715726987e08cd66fcbb81741d4ae7581d2f1784883b7977e9a42ac18d06478cb62ca426b62445985e5fd384926bcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fj83nk1.exe

Filesize
898KB

MD5
4e903722f062f52bcbbaea07fcb804c6

SHA1
c81aff391e1910e733a14e2933a440581933064e

SHA256
f09a3cecfeeae14f9165245c4ce951eb4eaaf4a7d061d8f6af7e8a561ad6edfa

SHA512
2d9f9472e18221c2e9fbe7a6dddface65db74a07ef0819096ed905fcb0e652c760b840172099519519c84184442410dc71e9a872fb170fb805ee47ca3cb72bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YD6343.exe

Filesize
182KB

MD5
7c843f9498585e492c94721ad7113b63

SHA1
03dd3da5b0fae5c0a037cb242d9f0c0e8c989354

SHA256
a25674069b6df920ad68ce548f7678c8e4620717ee97a93554fb3d4e8293d307

SHA512
70546c2ff3b17046beffda3e4b64e78b1efeed6dceb80c79d91354bad9dacc4b978a59c541878b3f4e656e6d804dcf2c1af6b36a1bec265471f2f9f0dd83e3c0

Download Submit
\??\pipe\LOCAL\crashpad_1284_FZAQCRVVOHYGERYH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5692-146-0x00000000025C0000-0x00000000025DC000-memory.dmp

Filesize
112KB

Download
memory/5692-149-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/5692-148-0x0000000005090000-0x00000000050AA000-memory.dmp

Filesize
104KB

Download
memory/5692-147-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/6164-811-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6164-230-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download