mystic | 4b8426608d129065454fb59979cb7863e9b221d10a94bf05a1dddf8807d50656

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe
Size

781KB
MD5

86aa356413721bac81b78995b7fb3d53
SHA1

15a9cae2c63da99804d66109fcf3fa4766aaec16
SHA256

4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2
SHA512

6618cb638105eaaa4928f93723d3d8c48035ab646b3a0431db12d994a4147a8291a69d2fa4042e98077cfb432ccf1b30ca9775845236e42d15d82982072fd5a8
SSDEEP

12288:uMrgy90WDMPyYiY0NldHSraex4IC5ipCPHGkiPLvTMXiYQ5DsHYhYgig489JoEoL:KyNDMPQ5MaeuIseC/GRLYDOhYSoEI

Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/6276-171-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral6/memory/6276-175-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral6/memory/6276-173-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
3724	KV7GM83.exe
4548	1qz44sg8.exe
5616	2NK2426.exe
6532	7xC42it.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KV7GM83.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x00080000000233d6-12.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5616 set thread context of 6276	5616	2NK2426.exe	132

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7xC42it.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7xC42it.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7xC42it.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
732	msedge.exe
732	msedge.exe
2428	msedge.exe
2428	msedge.exe
2076	msedge.exe
2076	msedge.exe
3568	msedge.exe
3568	msedge.exe
5572	msedge.exe
5572	msedge.exe
2712	identity_helper.exe
2712	identity_helper.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe
4548	1qz44sg8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3724	2612	4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe	82
PID 2612 wrote to memory of 3724	2612	4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe	82
PID 2612 wrote to memory of 3724	2612	4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe	82
PID 3724 wrote to memory of 4548	3724	KV7GM83.exe	83
PID 3724 wrote to memory of 4548	3724	KV7GM83.exe	83
PID 3724 wrote to memory of 4548	3724	KV7GM83.exe	83
PID 4548 wrote to memory of 2428	4548	1qz44sg8.exe	84
PID 4548 wrote to memory of 2428	4548	1qz44sg8.exe	84
PID 2428 wrote to memory of 116	2428	msedge.exe	86
PID 2428 wrote to memory of 116	2428	msedge.exe	86
PID 4548 wrote to memory of 2156	4548	1qz44sg8.exe	87
PID 4548 wrote to memory of 2156	4548	1qz44sg8.exe	87
PID 2156 wrote to memory of 2676	2156	msedge.exe	88
PID 2156 wrote to memory of 2676	2156	msedge.exe	88
PID 4548 wrote to memory of 1764	4548	1qz44sg8.exe	89
PID 4548 wrote to memory of 1764	4548	1qz44sg8.exe	89
PID 1764 wrote to memory of 1580	1764	msedge.exe	90
PID 1764 wrote to memory of 1580	1764	msedge.exe	90
PID 4548 wrote to memory of 1692	4548	1qz44sg8.exe	91
PID 4548 wrote to memory of 1692	4548	1qz44sg8.exe	91
PID 1692 wrote to memory of 3768	1692	msedge.exe	92
PID 1692 wrote to memory of 3768	1692	msedge.exe	92
PID 4548 wrote to memory of 4876	4548	1qz44sg8.exe	93
PID 4548 wrote to memory of 4876	4548	1qz44sg8.exe	93
PID 4876 wrote to memory of 816	4876	msedge.exe	94
PID 4876 wrote to memory of 816	4876	msedge.exe	94
PID 4548 wrote to memory of 3484	4548	1qz44sg8.exe	95
PID 4548 wrote to memory of 3484	4548	1qz44sg8.exe	95
PID 3484 wrote to memory of 3960	3484	msedge.exe	96
PID 3484 wrote to memory of 3960	3484	msedge.exe	96
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97
PID 2156 wrote to memory of 1288	2156	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe
"C:\Users\Admin\AppData\Local\Temp\4bb1d789dfda1e41c8f39182a3f53a19e105cde455b57f94c5c65eb9ffd566b2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KV7GM83.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KV7GM83.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qz44sg8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qz44sg8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        5⤵
        
        PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        5⤵
        
        PID:3192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        
        PID:4164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        5⤵
        
        PID:3380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
        5⤵
        
        PID:4632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
        5⤵
        
        PID:5288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
        5⤵
        
        PID:5416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
        5⤵
        
        PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
        5⤵
        
        PID:5832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        5⤵
        
        PID:6016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
        5⤵
        
        PID:6112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        5⤵
        
        PID:5592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
        5⤵
        
        PID:6352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
        5⤵
        
        PID:6652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
        5⤵
        
        PID:6732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
        5⤵
        
        PID:6468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
        5⤵
        
        PID:6600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
        5⤵
        
        PID:4860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
        5⤵
        
        PID:7092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7916 /prefetch:1
        5⤵
        
        PID:7100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8384 /prefetch:8
        5⤵
        
        PID:5744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8384 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8596 /prefetch:1
        5⤵
        
        PID:2068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8568 /prefetch:1
        5⤵
        
        PID:2816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
        5⤵
        
        PID:540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7912 /prefetch:8
        5⤵
        
        PID:6924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16504816163379953001,2734837573976301225,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7756 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x80,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:2676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,3734564750346796687,1921792462548615450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
        5⤵
        
        PID:1288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,3734564750346796687,1921792462548615450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:1580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10283648005080564031,13827481973479780068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:4748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10283648005080564031,13827481973479780068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2617602372082241763,9960568786785095939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,17327667587638956857,14366890009657334176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:2172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:3740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:4448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:5848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:5920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:1448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9921046f8,0x7ff992104708,0x7ff992104718
        5⤵
        
        PID:5544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NK2426.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NK2426.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xC42it.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xC42it.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:6532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4b9075d2af159bf58759c6b1d3ca4ece

SHA1
d5d3d7cba83288a089093baf45a435477d4fed3c

SHA256
b53fa5fc50a7ba25de73c1a90a7492d369f6cf70711d8afc6e4ac5d21bda3459

SHA512
b1fa77c838c536ded8860827982129e41cb528e2f2e2c0205b25ce173721836ba242e61657f9d7b8d68d60ee7f69ee44d2fb5a87f25ef90d8c30449b308676a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8fb706add019cd0fb78acf6c16bad331

SHA1
99388fbee8c61dbc5c9e06fc0db19afa2f7d150f

SHA256
162f12a1c97fcb5096f374f32a5fbfdae59570d1ee448320762736a9293ef8b7

SHA512
b8cd3ff40d2fad18986e7a5be436d639e25f38f3b00aa3d3468d79f3d569db608e879618798724d94b8eecb602262fd983876276c36afc8e3aae480172474b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2fa1f33951638a074169a48a847671ce

SHA1
9c3051e23f251ba5aaf784eb9df495b1580a0618

SHA256
c9fa913b7277815e20ff66b706c67d75b7f303de0b2bd111a8e399a391a84632

SHA512
aa4fe4eda080a64867a08d016d7ae3c2d079dbfc00c582ab1fd420e55be7512b4ab8743cfe6573f4f49c90f56f457b0ccfb31466687609a05e81d6abacc2b44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
17940e2a0d82f0ab423eff4dd4974472

SHA1
d90ee5b7eea53b2bcd03c3255caa27a7bdcc2316

SHA256
74f9a08cae1ca00d6555c1e1c95a75d1d381e81e49569833698e2bdfdc09e513

SHA512
bbfa23d2ba5e67ce2ce9a1aedcb71cedfb952b27b65144223e94c9204d4b5c8f2a5faed06fad073cb0727309d7f13e9ac30a9f0d512af382aefe7f4672562f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f103c357816639e6f2fd19ecd9e55622

SHA1
02ab34e132e0b743f83f374b58dac50a69704f94

SHA256
024d5df1afe553083dd50d198b49570680cee5283a85e39c53c0c0de666cd0b0

SHA512
5fee4d0572ec80493e1bc5d6f194717208624f66ccb2ba32635d7b3dfd1df767efb724ce5327c585bdaeb9a61169bc3b3a94b9f3b0ed4ee0705a71c564f48ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
313b56ddc188f21a26ff18f679f17c67

SHA1
0778e215c59557c3fa1a9877f740f282694cf44f

SHA256
7ef5a2d15404a41f5a9aac36eaabe3d4475a87d536b3e68cb8a04d5a039a948f

SHA512
00ad8f360d0460786e831f55f40e223685f32cd92e06b089d56a73b0af07b3e9dd087ffbd3af9c00160197bad3070e01a7b1d681687a7b35348e01f892d426f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c705e3d91b3826c6c1af93aa2fe72635

SHA1
3d6d53ef5c99fc7c5e45a8a052fb7db03b36a06c

SHA256
fce21d4b49be790d5091db0619b8ef8fb43421a908892d7e5f3e0de894ef987e

SHA512
c362ae66457657936619bf3039d76afef955e0d09d90311151ac84d979d4e365bbe91ba9fa1b9dc2fc6943c4dcd16c2062de0df13be9f69e92afbb729c7d0024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
37d9661ec9b37081ca11b8607ffaa80e

SHA1
92607177c51443a974ecfdd4c2022512567dc63e

SHA256
8204d3590f8c642dafaeca65a144801f6810d6d8792c2a844270af2669d25479

SHA512
059306778bc7afbdc70362bc16e0133e7566d65c9aa803a893fc86bb8d63e57b7c3e3cd7ed267fa58d13ebcf6bccf300db522514d5da7ad4ab9cf3906498179d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
fede3d4eb7338fbeb509338db492f17f

SHA1
0a079f747d0006539c8ab310821a8420e8989c34

SHA256
9de74a3579d8d1d45efc969bf457d2e16e95c126290378e3f8867799286746be

SHA512
8135dfa2c4f0a84bf55aa5009e030734b50d84fdcfc08b00f321f1635f21c5e4d5af5bc073f1799bafb8e7351c33c374c029d455bcb566c204e4335451eaf921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
5f6efb6a03701ee007865cf630baaef2

SHA1
59c15d8839a0d604b865037500b684285919997c

SHA256
6b37dcc6b60ab756060302f961519a6e22ecd9f1ea315bdda452748158cc7631

SHA512
dfc2b4db1c7ae258bc7061d1f421dc4fd1a257bea5ad5be38e3c0ceeea40855b574dadc22e88450ab8d2ef91f93a3d475a1ef3ff3e0973ff6368081b9edb7ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
39a44f6687ee916c2f4e3aff3f2d254b

SHA1
65a76954df1c21659c5e15d4c695398cc6a4c604

SHA256
a15a796b1f26e1425d97ea58da6daa44543a87293c00c0e33f8d6cbf82597490

SHA512
45b94acb780171a11311f6f74e9a38b03132f1dbe2988018388aa16ed4386a732f23e61626bb8df83ebd012625dfaa52db9ccbb017357f8615bc468c868ba48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f86a.TMP

Filesize
48B

MD5
bc12f404c8c07ea472d97ab6bb3037eb

SHA1
88e705186f3fb0dda7071b847e5a817c2b32d796

SHA256
bab64e4d98152474dc0d8c5173f385e4c958e915a47baff25d21b1cb7b89112e

SHA512
bb131b7d06bab145e523ac9750d9e61c9ae2f847a69a3ebb472439ca97d79aefdb7dff9f69967b5028caac9ed699d1590db79e33ada87cd392ab9efe4d46530d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
56416e84240d31d9e8c24d43b30e90fe

SHA1
eb65e82bb9d0845a4ca0aacab6eeb72981b8e4c2

SHA256
efb158c4b9b9047be882a966e039999add940bedc7e5c02c77d78d52bbaf6bb3

SHA512
fc071e6eed29a1d094cc8a23785b592d99da140195cabb861ea3dd1ce6f38f16f1ccca9483936b2c49be8b315b3c46b5b2c4fc2a2ee3a7c57d776c6d8e4bbfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
76d1c7b26e00d5f86eb246d6eed08e7e

SHA1
b5e4adf66c308e82d6fbf7779fee77840245f515

SHA256
1f999680e8a82b2f3e0bf1d158450c9a1aa1568f5345e1c3ee901f386200512e

SHA512
285a526fd15d48b7287d92c50452d15815f579c65648f3149869c052084ea62eb38f8c87e33b318200c0448bdfd95332137823aa180a77d8a92030fa6bae7595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
009246a6378cefae5860bed9fefed6f2

SHA1
6e5af8eb43bd6d106d5e81fcf66e8233690020ef

SHA256
93eaeeecb947f853db911b8464575479dc5f807504d48d188e242f4e8d8db5e3

SHA512
10b8877bd7af674397ed0292742023476ecbe566adb52b7b632724a06a7d5b51ad3b6e1d86a4ff77e44e2e5cf10aa264efacf1cd88a44e3497754e4a719d1210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ee92a634c60289f92874ba460eab8971

SHA1
1a5ffa79364eabae535067ce88ec9819169bb677

SHA256
2cfa50449d80687106de2fc6cde73be1972ba652fdec0becce013ca67dc8e771

SHA512
b1b2352967a09e23a83f5dec4b5482cf4111072766ebfb15083964569ea6225c9bada7d08a4aa4d87425ac90edd2470097b65b27234ae05044e4e22be24605ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a911.TMP

Filesize
2KB

MD5
f7388a088a13ad2d87aa871729ea7cca

SHA1
81acdb1320c1f3eef1154450a16aff357196b015

SHA256
5c3f50d1e698e5e158fbd4a53d5e773f956de7e2a0e9023da378e8354df67e3a

SHA512
06106b362b2bed68ca78cc43624a8d6f3c05240c8fc08fd1dbf3b823e38323be78ca788992ef4edcd4f3581f7e55cab4aca4cb9a20fee1bb7d81d33e40b3f5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
27b543dedc885153c46284a43d570d4c

SHA1
d00dee8184b1f043d4fb675de9af497a9b840a13

SHA256
93afe1aadf8f491e7a13a4912b07e42c6e63f7715294e4ceb071c3a2a851e7d7

SHA512
7cc9474142821f8525adfee27589bdcecef2899ab09f49f36490e3abbdcac92b35dfacac79bf2a69614ee1cca113932f5401695b309a87cb9da8829a8948615e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7a96f5d8a840806cfd790c3ed2cf9f46

SHA1
1eda6fce63b0541db58e96a91dc55d0c520d3081

SHA256
10be5ddfd0d97c0faf2eb86a311d42ba5484f61f7ec273f5402231d208be9650

SHA512
e74a7cb21b7c890937478804aa95f0921f037117c8aa952f90749739dded775d57c6e13af734d7cf934fff39c050c77421e53e94daf37747641b4cb6499416cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
064e3ac135dbacb89ed240e903f94b72

SHA1
23ad752435f70d37cc590b77ea9f8b5f25792e61

SHA256
c48cc383bfc3445b73a93e106aeaeae87da7152f968ff907dfaf5368a4614651

SHA512
72f515c3314a8a01bad89109bfc0e5b5560a2f9589703daf6106a4ad5a10860e6974b6afa72df5bfb9c523513d6be4289489a769eec48c2eefc46d1762a50cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5e634d48de45ba11f9ec6630501c0153

SHA1
2949024cf761d3db81f69d417ad6cbe9ee8279c3

SHA256
1c1ab87b084d0dbfb333f8cef6d302f83f1a173bcce20f188295324492113116

SHA512
862f158c3a7e2d5396adda321b54c777f7e9240c6c32abaf6814ba94ae7937af0043cd79aa273cc1a6dd800cc224637d57dce115c07641ec7bbee09799dc82c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3f8f8d4b48bd9f29d94f2e185f628c66

SHA1
760f1260c68bb10218ff2a34c91840b6e85c87f9

SHA256
c6051f664aa01d7642f7972363fdd57da8e2089874942d600eea5e842afdc077

SHA512
816d4e6e9438389b6e07d26be94187030604584aeeb2bac58dc4f7d8ea40a192309c4838da6ef9653f363e09276d8e60e5f7273373a421c9727061ac625d2aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xC42it.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KV7GM83.exe

Filesize
656KB

MD5
af2b02fdfdff6e69f6aeda93ed2ef1ee

SHA1
ca259438c7df30cc6a24eead2ad787db76ee41aa

SHA256
b76426e7e7027a05aa0c47da73d7f2b282bd7c515177e97809288a1940c9cd91

SHA512
51e9008c3466a3a76a5ae249be6cf6b864c6274a21656325381e9a8dda22b9c7f6b3c19406035c373ffe9a68f55131fecb3b564384901c3b51d553037da78d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qz44sg8.exe

Filesize
895KB

MD5
8d11278af40c999ec19fac9459100c1f

SHA1
e0960385c3f207033a1fc72fbbadb0713f37fec2

SHA256
834bd064db99b081cc83ea874bfa26087a8666f4ff3eda3397b6f8d3bc531577

SHA512
9c76cfd559271cfa8d3a8d2520b151b40b30d9534583e49891b528098e4c580fa89adc3d8865b580c4215b603e8b45c8e507fdb058c29774ef6e16d2c6a42a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NK2426.exe

Filesize
276KB

MD5
84ac33bcd5d4f93d3e0f84501a680e6a

SHA1
8e58adcf94da609299f77f94b2d0f18d378aeec3

SHA256
958604e8691c205be7acedafaf8b61c3ea0acf4a9d431193f24ae0b35fc7a835

SHA512
525a2602f6042b79a4b87b0bc1bb05edb039861e91206a733a25e8376d3f0024fcd7b9584e9484824871c959c6ab5e044c4cda60cd61d4ca956bfde35f426b77

Download Submit
memory/6276-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6276-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6276-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6532-186-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download