mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe
Size

782KB
MD5

a6f4f009430e3d9254d86583cc3b8b30
SHA1

f27c4206c15f52751fc099bb272c7c489b1170d6
SHA256

259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83
SHA512

72f4d39b63f3efa257ae72ff958f49ee2957ee1ddc3a4e965702deb84c43bfa7283fa55ffa23a935522e0347c9233bb13ab3a40eb8f9be82b2622e4a340e2fdd
SSDEEP

12288:wMrGy90Fa9hT6A2bABaex4IC5GpCPHGVdPLvTMXiYQdDR+ADtHgNDnwCxVYcXbN7:mybOAEwaeuIsSC/G3LYDoZIwCVpb9X

Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/6844-187-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/6844-190-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/6844-188-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
2404	Kj2JG96.exe
4312	1Jr40SH4.exe
6372	2WO5295.exe
6984	7Iv79sc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Kj2JG96.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023411-12.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6372 set thread context of 6844	6372	2WO5295.exe	133

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Iv79sc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Iv79sc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Iv79sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
5076	msedge.exe
5076	msedge.exe
2576	msedge.exe
2576	msedge.exe
5348	msedge.exe
5348	msedge.exe
5384	msedge.exe
5384	msedge.exe
5852	msedge.exe
5852	msedge.exe
6892	identity_helper.exe
6892	identity_helper.exe
7004	msedge.exe
7004	msedge.exe
7004	msedge.exe
7004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
4312	1Jr40SH4.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
4312	1Jr40SH4.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
4312	1Jr40SH4.exe
4312	1Jr40SH4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2404	2072	259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe	83
PID 2072 wrote to memory of 2404	2072	259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe	83
PID 2072 wrote to memory of 2404	2072	259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe	83
PID 2404 wrote to memory of 4312	2404	Kj2JG96.exe	84
PID 2404 wrote to memory of 4312	2404	Kj2JG96.exe	84
PID 2404 wrote to memory of 4312	2404	Kj2JG96.exe	84
PID 4312 wrote to memory of 3220	4312	1Jr40SH4.exe	87
PID 4312 wrote to memory of 3220	4312	1Jr40SH4.exe	87
PID 4312 wrote to memory of 2576	4312	1Jr40SH4.exe	89
PID 4312 wrote to memory of 2576	4312	1Jr40SH4.exe	89
PID 3220 wrote to memory of 2260	3220	msedge.exe	90
PID 3220 wrote to memory of 2260	3220	msedge.exe	90
PID 2576 wrote to memory of 848	2576	msedge.exe	91
PID 2576 wrote to memory of 848	2576	msedge.exe	91
PID 4312 wrote to memory of 2124	4312	1Jr40SH4.exe	92
PID 4312 wrote to memory of 2124	4312	1Jr40SH4.exe	92
PID 2124 wrote to memory of 5048	2124	msedge.exe	93
PID 2124 wrote to memory of 5048	2124	msedge.exe	93
PID 4312 wrote to memory of 3992	4312	1Jr40SH4.exe	94
PID 4312 wrote to memory of 3992	4312	1Jr40SH4.exe	94
PID 3992 wrote to memory of 2492	3992	msedge.exe	95
PID 3992 wrote to memory of 2492	3992	msedge.exe	95
PID 4312 wrote to memory of 1456	4312	1Jr40SH4.exe	96
PID 4312 wrote to memory of 1456	4312	1Jr40SH4.exe	96
PID 1456 wrote to memory of 4584	1456	msedge.exe	97
PID 1456 wrote to memory of 4584	1456	msedge.exe	97
PID 4312 wrote to memory of 4684	4312	1Jr40SH4.exe	98
PID 4312 wrote to memory of 4684	4312	1Jr40SH4.exe	98
PID 4684 wrote to memory of 884	4684	msedge.exe	99
PID 4684 wrote to memory of 884	4684	msedge.exe	99
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100
PID 2576 wrote to memory of 1272	2576	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe
"C:\Users\Admin\AppData\Local\Temp\259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kj2JG96.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kj2JG96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jr40SH4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jr40SH4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:2260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,6286882205691791104,1405660383322259833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,6286882205691791104,1405660383322259833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:2252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:4376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
        5⤵
        
        PID:3272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
        5⤵
        
        PID:5860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
        5⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
        5⤵
        
        PID:5840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
        5⤵
        
        PID:6056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        5⤵
        
        PID:6264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
        5⤵
        
        PID:6408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
        5⤵
        
        PID:6580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
        5⤵
        
        PID:6748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
        5⤵
        
        PID:5748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
        5⤵
        
        PID:6392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
        5⤵
        
        PID:7076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
        5⤵
        
        PID:1488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
        5⤵
        
        PID:2948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7824 /prefetch:8
        5⤵
        
        PID:5072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7824 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
        5⤵
        
        PID:3584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
        5⤵
        
        PID:3204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
        5⤵
        
        PID:5492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
        5⤵
        
        PID:6232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8740 /prefetch:8
        5⤵
        
        PID:6796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
        5⤵
        
        PID:6888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14522656108110085030,11567229689628634654,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6008 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:5048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10547848134479948041,9796064990268900834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10091341502433403833,6790080531136460606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:4584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,10733829629175332387,1645085374119618361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:4884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:4328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x100,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8164446f8,0x7ff816444708,0x7ff816444718
        5⤵
        
        PID:6324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2WO5295.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2WO5295.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Iv79sc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Iv79sc.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:6984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5540d8b148f8bc5a5654a146392f4bb8

SHA1
ff9cac875636a63c39dea966c6f4a5b33306a2e5

SHA256
26df23db83e3daae9b413e9b2e2afaa3aeef9bc150ebd79dc2d066532d8eb8d3

SHA512
fbdcf34dc206e467a856aff91b10097caaf76248e99d577247f040d3787ee366089c59021340704447189493933dd1dca05699bb3d86518b251ea6ae82f36107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
f59785b627550a74bb48c66344dc5081

SHA1
d92db7db67c8d4287c369d9fa0d155bd55175986

SHA256
8fde69852f08c3262d140015986c7f8137a657e29ff89a4c2b87be47c7250316

SHA512
49ffd41755e241e5ab6df0b7d4854369a9fee83c74bc9449988cd0e92ee6ff21b99c7056bc84e8fdfbfc964d406ababff802051ebba71311e7309d0f6d86033c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
20029594c702c310ff0e9962f5256741

SHA1
fd6fe30bddfc4956222dfb48b4c083d07d5c0891

SHA256
6ba48bc4e43ac7784fc999d3c3cfa194caa2b58a4d611d8910713e28edf87f9e

SHA512
e424d303c071606e18f12d42695b1da1fe1af8c2f9865b3eede36c57bcc5accb6fa908b3fa7ef79c95f933251adc1e8396f334fd88c7641bd3afd6b21a7a117e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2671dd6561a5cb8eef18127bb1497155

SHA1
ee66f9fd9db8c939d2d083cd265e55bd07c375b9

SHA256
a1c0687c4b8a463093e5f48deaeb35e942b8f6c7ab13d5b5998c05a9d813f06b

SHA512
1622b1bfc024c117ac422533680a7b5e142661d913fb3319371c6856d7ded2f586d57bf281bb5292ca48b75ed4b4c27246de7dc801bac99eb3723c626adf3c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff8de172c25fc33f8c0646665a9658a2

SHA1
2f8e3e9ac7557f44f9bddb80b14d28217406260e

SHA256
fbb42042bffdaa52906927c32fdab34c00e16910b84ecb4a2343731a1a75b0e2

SHA512
f5009ce68def4507c708ed43d8bc14adf2c2b37fb3fa4e3621fa8e279a0702261d98680eb3c0afe664a17c7d2c3fc40a4180a01ac2b259bea9274d4180c6407a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
485efed4d196e4f82fbdc0a2bb25fb4f

SHA1
c156584db48134fa4e3858b5327601403da22a0a

SHA256
3326746b9b544d7f25e0818aa3ec5fa0441041732fefe99b67ade52a90adc93e

SHA512
838d190071babfe321d4dc2417e0b57894de1c05dde8460ea71923cb00780be3105f682403fe0d90a3a2d51af2e980d33a533932f47ea09e849aa5d30bd92ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b7301cf1b850525f17455814aa8dc3d0

SHA1
8d18ffbb91b588c06db29dee122bd893cb268760

SHA256
df20d005177e4eccc718fcf32da8d219ad0dee7b03b2cbb3add282a31c6a6732

SHA512
82283446005ded977ffc3831cc359ca0a880c94c5c1fc5c929a578cbfabbcb1fa7f760bafe4ff874cfa4258fc4c0a56a84c4bfdac56096eed4bf43e502e3ed46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
a911b5e8f9f4bd7dac3a4f735e014359

SHA1
3451ee1ff2353dac052da014f3e9177a1fd0a319

SHA256
7ab88f9e69fc34f1c8e2323271ef566b2818bd1c23126d8015fdae8a8184d505

SHA512
63836fe92f37b424e3cdde1440cb3f27e2ede30573aeb5c858bde63a3753b7d05d1423adf1d68d4e7fb752a8c9a446c4674669ab1456e98240eb0eeaf0b11102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
35ee3b252cd0e404f1cdc21f6b2400ff

SHA1
608a9778e3b772e531e5588e19925eb2ebd71318

SHA256
28e947d3d5a96eef4ec2b3bf808b780ee730b848ef9731d9e076aae4f6897d06

SHA512
3b28d57bbf36aacb0a555a10076006b032e968930aba5285cbd8a90cad1ac0666f7b772ea43be2c7c2291052c4f86f151db76220fa8eb09d361b930298861e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
7e0ff3544ce43b0b9b59247b562e0e13

SHA1
592a3d01b96ba1ddace6205a6d84414e4dee6050

SHA256
f68cad3745bae98154aa33563bb7750c25ff84817875e3a5c736cbc2ef3dea40

SHA512
242c3565eb97a86bdb4163d4ba5e94579d331b2c4834114c382e7e00d7b697934333030acad9f5775fda03b411f6f77508a8605b88c0c55946c0664b68851d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
765c986bfef914d9c9147416cb374532

SHA1
503c6615e4b8e8d88bb76da85bd0846070a28aa9

SHA256
18eae51ac4da09cc166068303fa76845488cbf8242ff7370cfd2109b863b5f3c

SHA512
ed9f9a8178199968c3be7567eb2851574c7e619827dfd2630e7ce9af3f04ee9ee3da1aae2e400f5c1643ba85d37ef92a73606ee59b27425bc22d7d191e2d5b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e4b3.TMP

Filesize
48B

MD5
62e693c360f50f0928147f2206db7f98

SHA1
ca4f6a2eee92fbb42dbb5701b89467be74e8d991

SHA256
8a71f2d3ff1fa881ffc2a2a9baf14aab6bfa878d52894680bf294d206b96adfd

SHA512
3945ddff4a50dc534a91740216b596c8f4a7e7aef0b8eae508da7ab705b03bbf456e0359c35a749afd12e6406c2e08d17358174bfe87804457e80ac9f0f1289b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1838b86e6b01d03f9c04fc4e4d357ea5

SHA1
290024c36e0fbbf1f1ad81f2127412bb2332487c

SHA256
afd9c241b1bf4a2f4f36efbedb6665d2722fca9379885379e3d72967a7ee5390

SHA512
bec0d6a4814bbc2b67c5e4e9a866c1d79edbb2fb1ab40659ec45ffd7a654eb9af07ed21c7d10b280aac9bd8ff6f5f57fb2a94134a22183fc4f414c7effff1479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4f23877afb3588c6da02d2328cd37d7f

SHA1
f8d4159d26d41ae6f81d6f86d658cc6ed7b8b6b2

SHA256
3fcba09f94555bf43f2e2b6814c7ea27e6bac09babc9bd3e18719eb19e724cf9

SHA512
771f2b54aef39bb96761572af5a129fe4ceb8862d850519a22bf69cb80e17e2e506fe1bace6b3996c62f40609df933963d11b10b00a8e7014616fbb31c9a6a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
35666f488c45a938566d1b1d39608ea3

SHA1
65c0389db56c4a73d5f2b41421a69a432a372cc4

SHA256
6758de3f002632db3c9c76604713ca9777d9cff7a33d712fb375835d49c8f3ad

SHA512
720432daf0cd46a4594351a0f326319ad783b4c46c7028599ef7028529b66216134ca405583dbf3f62bf43a6c88ad976579fa641c80da4752a2ca89a54e15a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5797ea.TMP

Filesize
2KB

MD5
8274c628346d19282537d2bb82bc2858

SHA1
7efc083ed409146b6d296f1f48069856a9c99398

SHA256
b9998a66db1946bcb36ce6c7c6ba26f368da82aa9e8d82f0682f72e924f6b8a4

SHA512
73488a9c688d71902f8df1abf4a24b8a8621fdf5e7ced43a8f21f9d5459f5804c134946cba25277b2bb44ff1edd1da9894ea18393d6b55032b38c6dac1c04b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fa4de0f465066b75ad87529629ed8158

SHA1
52f0f625adb4cd622ed0a25ab18a39e2cfe0e28a

SHA256
0d7d403ac8461e09febf0ed48f07a5259c5af1fbd2d7c222f5a4166e21f71ea1

SHA512
827e80f21c00b7cf460ff66d0aa95d4c8d6814a94f6bbea314dda138e04125c2b5e4704f703b1d70a98e438431d0a154a49dae2c45fd441e917d88052fcb0038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0e2b0793d3ee14def2c1fa26f56f5bfa

SHA1
0d5fa34c4ba9dac384286ef4f324769f1b7a0f68

SHA256
c36887844f49f75f9e8b135241c4a9b458ff3b54f121037fdf3cb818d1b6b996

SHA512
da4aaf7c37825b88a123950caf254a95975ed373513a6c349d3e82bc28dfa9edf675df73960be24d3f96a03182de70fd61bb37ca4f97b6a8951f6b3757e53645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
97104f18539c9722ae512c3639645f3e

SHA1
fe1be9549a880b0b5a2cdecabd09b7da22c892f6

SHA256
c51675603238ad0e0f3ff82a75511e372bfec085251ab0ad7c5eccb7ff83fa94

SHA512
2b4b1f9ace352c6682f715a9f19d71d8b0730797c431024872d49946950ef9240ca1e14b8651f064b3704d025eb43fbd35a1f6dd0d998ad932ecbdda49b5a1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
16d964543fa6cc547088108e3284029d

SHA1
28b91e4b04dedc55f48d9fb6126b1302151ff6d5

SHA256
8bd06f7128f60e856a8b3b669a6762182c34dd67e887bb94c4602787a8b3494a

SHA512
f33933cd977c80886514f480383269152aff849f5abb10ccaa55b4d4be9ebc68f40135d07b29705083b1bfd35668dee5a3d9d6cd628a2aaa1a63376cb39df8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e17fbb72fdd481f345eec465076280ef

SHA1
e47dbc03e15d6c0615c4a613fa4c3c032f758238

SHA256
d89c2cb6091c8558e9f320b8ce82bfa32b12948140399df57594e46bd7ca5448

SHA512
6264bb8889291c307faff52415684ca5149a413d8edb1ab67ed6da48b77b5300c32361a4a8add57016d1bcc3102744836f5d0d8b3016fc632445faaecb9b8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Iv79sc.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kj2JG96.exe

Filesize
656KB

MD5
38764e5627b2f5a5f91e666467b6ace2

SHA1
9163bb262f0dd478c21f455c2e7cecb09eabee66

SHA256
a95b325fbe3cb094dd3dc521156bdda354cc46115c584e4900d03272a58f35ad

SHA512
76020df0daa04b7b99e4cb8403c399ef5eacb62b10d680b4842b5ffb8944e0f47674d9d6162409a6933da0fb46852bf9718bf461a08483119029dffe1c0ee939

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jr40SH4.exe

Filesize
895KB

MD5
c2a5eb8e6a62a96c3c2d0862c2849122

SHA1
a4696a42a9539bc656ed9906ee420f4ec219026a

SHA256
fbeb38990fd5f91f00d91e6274860e881f0595af4322073d21e5bed2691c7a0b

SHA512
5eaff7863bb674eac4f599dfc7dbe88eaa4d31ee6eb1a1f0b6d4fcec426aab0c4267ae1ca51acb9235093a6e3316ec2a4f93d8f23aa6ddc6fcdeb0234febd4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2WO5295.exe

Filesize
276KB

MD5
7635e6d764590e8f1f16fa9c9e4aff96

SHA1
f10b6c90db7e4b9db19d9f05ec2dd6e9606587d7

SHA256
27120f295cf6979a8d9f249ec1127f5f200f160f11cd12797a58df01b35e341b

SHA512
03075d1422e0aa3da8e5b99082258eb27e3cd96aebee702acb5587ba90d49b57ccd1438d13c6d2fe00f0dbf7649e94925d45b1e0cb3946eadcaec12c77eb5f4f

Download Submit
memory/6844-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6844-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6844-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6984-194-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download