mystic | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe
Size

877KB
MD5

cdffd489744085d274dadb4d6b409596
SHA1

e0fdec58945fe1e8f058541a8b5d9e38a5da42c4
SHA256

9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056
SHA512

61e648ec1e8efe66ca7abc10ee9f599a10a0bb83a34f9365040ce0b573418c76ae598043a818fe771b837d308659fdf2a15093a59db7e386f33fa4cad2d63f54
SSDEEP

12288:PMray90PmjjOxp0NldHCDaex4IC5ipCPHGkiPLvTMXiYQ5DJQqYQF0lZ6VEvFOi8:Zy9+I5caeuIseC/GRLYDDomZ6Yjw

Score

10^/10

mystic redline taiga paypal infostealer persistence phishing stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral11/memory/6580-191-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/6580-194-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/6580-192-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral11/memory/6840-202-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3992	jh3wX50.exe
3236	3Xu909VH.exe
6244	4Td1EW6.exe
6704	5MW64vc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jh3wX50.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral11/files/0x0008000000023432-12.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 6244 set thread context of 6580	6244	4Td1EW6.exe	133
PID 6704 set thread context of 6840	6704	5MW64vc.exe	136

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
3216	msedge.exe
3216	msedge.exe
3444	msedge.exe
3444	msedge.exe
4412	msedge.exe
4412	msedge.exe
5204	msedge.exe
5204	msedge.exe
5792	msedge.exe
5792	msedge.exe
4484	identity_helper.exe
4484	identity_helper.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3236	3Xu909VH.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3236	3Xu909VH.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe
3236	3Xu909VH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3992	3340	9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe	83
PID 3340 wrote to memory of 3992	3340	9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe	83
PID 3340 wrote to memory of 3992	3340	9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe	83
PID 3992 wrote to memory of 3236	3992	jh3wX50.exe	84
PID 3992 wrote to memory of 3236	3992	jh3wX50.exe	84
PID 3992 wrote to memory of 3236	3992	jh3wX50.exe	84
PID 3236 wrote to memory of 3444	3236	3Xu909VH.exe	85
PID 3236 wrote to memory of 3444	3236	3Xu909VH.exe	85
PID 3236 wrote to memory of 992	3236	3Xu909VH.exe	87
PID 3236 wrote to memory of 992	3236	3Xu909VH.exe	87
PID 3444 wrote to memory of 1452	3444	msedge.exe	88
PID 3444 wrote to memory of 1452	3444	msedge.exe	88
PID 992 wrote to memory of 2596	992	msedge.exe	89
PID 992 wrote to memory of 2596	992	msedge.exe	89
PID 3236 wrote to memory of 1448	3236	3Xu909VH.exe	90
PID 3236 wrote to memory of 1448	3236	3Xu909VH.exe	90
PID 1448 wrote to memory of 2248	1448	msedge.exe	91
PID 1448 wrote to memory of 2248	1448	msedge.exe	91
PID 3236 wrote to memory of 2708	3236	3Xu909VH.exe	92
PID 3236 wrote to memory of 2708	3236	3Xu909VH.exe	92
PID 2708 wrote to memory of 2376	2708	msedge.exe	93
PID 2708 wrote to memory of 2376	2708	msedge.exe	93
PID 3236 wrote to memory of 5068	3236	3Xu909VH.exe	94
PID 3236 wrote to memory of 5068	3236	3Xu909VH.exe	94
PID 5068 wrote to memory of 4860	5068	msedge.exe	95
PID 5068 wrote to memory of 4860	5068	msedge.exe	95
PID 3236 wrote to memory of 3524	3236	3Xu909VH.exe	96
PID 3236 wrote to memory of 3524	3236	3Xu909VH.exe	96
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97
PID 3444 wrote to memory of 3464	3444	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe
"C:\Users\Admin\AppData\Local\Temp\9e4d940a325e9b72d46353fc864673d69a691a5708c222a2124623dbb1d29056.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jh3wX50.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jh3wX50.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Xu909VH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Xu909VH.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x70,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:1452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
        5⤵
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
        5⤵
        
        PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
        5⤵
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
        5⤵
        
        PID:376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
        5⤵
        
        PID:5296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
        5⤵
        
        PID:5472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        5⤵
        
        PID:5556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
        5⤵
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
        5⤵
        
        PID:6088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
        5⤵
        
        PID:4280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
        5⤵
        
        PID:4464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
        5⤵
        
        PID:6100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
        5⤵
        
        PID:6364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
        5⤵
        
        PID:6904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
        5⤵
        
        PID:6992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
        5⤵
        
        PID:6316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
        5⤵
        
        PID:6300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
        5⤵
        
        PID:6632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8012 /prefetch:8
        5⤵
        
        PID:3992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8012 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:1
        5⤵
        
        PID:6256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
        5⤵
        
        PID:6676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
        5⤵
        
        PID:6268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
        5⤵
        
        PID:2292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5744 /prefetch:8
        5⤵
        
        PID:5540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
        5⤵
        
        PID:1252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,12658304160438988283,9173435801154072803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3184 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x78,0x16c,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:2596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1169205007004391770,10695316249538942342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:4820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1169205007004391770,10695316249538942342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,9053495313879706822,6886952330491193816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,8643198866458586212,7899280806685846870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:4860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12269514694689239756,6191539233030003743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      PID:3524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:4356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:6080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:5644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7bef46f8,0x7ffe7bef4708,0x7ffe7bef4718
        5⤵
        
        PID:6076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Td1EW6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Td1EW6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5MW64vc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5MW64vc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a7ce105a5d8f5ddbd06e11dd8a7df70a

SHA1
033765be310f5611291bd0e865c50b2c3f73d630

SHA256
f7d88e46ab396d2f13a855041d2abc08cbaf4ed0f3a48ba2dbe472f4cf7ea54e

SHA512
7825262c8b707e445e4165de6cced3b434ea15d19d1366f2037e4d058e57e7248e41f23901184752ec0669b3ebfd87816b4439357301651aae8715a673857e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4ff857ad716b35b701cc4f649f7fc048

SHA1
ed29aa3d31e34e02d61fb9ae304780334861ecef

SHA256
31642a38424ee70d67a37ddcac97d23ce6f5416875e97edcb37a6cd120418574

SHA512
85ebca99a8ba4b52137ff27c0edf75458a26b3bfb7bcca39df70a1842819c8e274645a0a1e26809219366f5b499984dc230f74835df50105dac5b92f3d1ae490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c1d5f91f4f87863dd6d3b2cc69efeb5a

SHA1
7a7c3c8834c66dc59e3e4ecd0052a22e047d0ffa

SHA256
9d6deb119be3e46591943fef2b05932531616c55a76c790199e67c53b3a0f7cc

SHA512
7a24ee43a32d6959c4f0e792353b8667f1d63aad3b03c2fa618388d131753cae15a8589f383a3e6aa8330722e9c5503153594c600fc50685f1f8f5ed790e7a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0b5235ed46c4b24f94631e8da4564726

SHA1
de9fb5cd7152fb1b5fae3e95ab5c4ff733b967c2

SHA256
8cc352d983da2c58b3c6c266d6d63ab9ed22e584356c3d3d6428ea2c5486cf31

SHA512
2d073e18d7e60d290c0c35e58715ddb66e4b4bc93c652b48732068d589f83cd4afa7bb66c1ebcd0d34bd35a6abb1f60b5c5f9465c424841f5c1d9fcb41727955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99b8b881ddc441a03aaaf144d984db60

SHA1
2a3e8943b5a1735b20ef739417690944d0b90b4a

SHA256
b93609cd694d3eb81a70d0ee29fbdc37969e01476e6c018d38a725745e8787db

SHA512
988e5f365b62f4e1a398f17069c84e5ea5b7930b54792a9087930016903f651572d9b1b906ed5c1283373fd59b4e88a3efa9673a892ab6e08509d2c1f4c6e599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6fa491d2689c6f2d96d2d93f32114f68

SHA1
510eda9a628ad668944db23517b45d535fc30c2b

SHA256
e179cc2ab4cfb9d428f8b5e291c0d56c8fbc1bb6c2ccdbce989fad0906ed23c8

SHA512
a6f04be4b3ed23cee646d11d76a4cdac9d982157edc03ea6d8a0ef04409b302981a9f893e0c73031cfe027f3fef264a8f48307b35ca45a6878a1cb9d1a59c944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b0c3b1c46d5f0e3bc14b8ad1463d0e6a

SHA1
b54b0e92cb16bf0416f6cf662cb05374ebb02529

SHA256
c69a390b2e3317d3f5d14f29af7028fdf1b18c9b0970306332ee5c3076761bd0

SHA512
8b1dda05799ad233f89cd9996dcfbc6f660e698a900e92a67bb975236e39337a565027e710acae97f6a8b0474d182757bb822276173b591aebcb5202ff9a7c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ecfb6ca4a78585a1a9995fab2a1fd592

SHA1
80d2706dac65cec0493826d99a4142b2bf880cea

SHA256
1f03462baaacf015d8409e45249e7358e5f3778ec145fa3900ce0e06d3897933

SHA512
af5b3c517089520beb2215dbdb9622d3d88a27a99baeef21e405469b12645d58fda3109573691c552eff3ed7932b4055a1d8b701310136b46bc535f6ce4b4a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
25cddd91eecbdedbde0e484e5d86ade1

SHA1
21d6eeb14ff821a3a535ab6b6c84297e78bb822c

SHA256
21bfc5e9534b5962e1afd97782a46ddee2fe23891f62282d9cfd352d8c006516

SHA512
55c651e6783da2f86266e6467192733d3ac01c839da58bd789b7f3144a3521a5f145ef692668e75bff59aeffb8d446e76a108c0be05f58e8b1a8cd55c22ba118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
8b3789d55d523016ed1d856475020574

SHA1
bd851874f11f3ec168e53fdbed11c228dad6dd55

SHA256
ae8a9327494ad45e9fd44047fe307636d7335ea3747ea50d95842181caa66c98

SHA512
30fed9bbc399821cb3e4b2e2df1b997e6acd9b3284846e754c70cdf68094c2c2eb1dbe3bea2d2a6dd6c17919af184edca609560ab651edd04ac0adc4f308efdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c88ce191023ca4821ad38517335d7aa9

SHA1
68e2f017a3dc4660447522d761733eb01a0650ed

SHA256
edab7bc49315930ff80e31dae29241b364f6b75983e932eaf1e1b64f334c4937

SHA512
9e01811e86de5c9c14f706b428b2afb0f0f72aab0405aed7ba0f5ea36c13876b981da5e3b3968dba3ab091791bac268657872d53f960f85671b1d5c31ede91db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f935.TMP

Filesize
48B

MD5
774029f92608b2fbdfc087338f9334f4

SHA1
234b3bd960707a32911edc1dbf1e8782c5aa466c

SHA256
23608c0aad1a7966dd5288731c5e7429e710d3970e6fb1b61d57106384f79b41

SHA512
98ef0462cb1ea343d9277e7346e727a7a1575c328e77ae85d413b542db7b079a4539369e33682675aabcd78ebc4b3f00e9d01cd0613975331c3c98b93b867cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
45a344d3fbe22e0bf759a3e47ea564e8

SHA1
2af6e83edfa5f840c905ff829ac793e744e87631

SHA256
bd9654d0c7bffee702978957aa5ca5d3e405daed5114cda05f90d098c24e9151

SHA512
0f6d958690989d1892b192da3288ba83ee8799656e25a834eb8c8221c7dd5d4a9cd93dde289d5f47880e48e6bbfc25dd53c806c0ca42a5a77129b4374225ebd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0778283f5df511a5bbffacacdfb3db28

SHA1
1b2f162af3c8a3d45407969a372d769680a9ff57

SHA256
5b621ce9bf5ccc28d46ce892c5493f73f7c5811213083f4e09943dc00ae4b24d

SHA512
0417d31fbadf00c66df1df182b5ad7ad451c339ce3ac2fa9aa79f5b10b520bddfe3bec4ee68fdd9db0f9d5905bcf786bd3b550e59b25cb9832d6f11dc6ca1851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d48d4f47b1aff6d67f078abfaadc724b

SHA1
41bb2ff65f3d88bbae0d1f235d6f63e78bea175e

SHA256
31067c582b347f46d95b8117495260bd5dce504930987b07e292556acbbff421

SHA512
6ea4ec495f6d24b5cc1fe9c59473a0a37b3aeda76cdb5176a92d1a0bd63e98a5cfe957d250cfb8fb916efd4e334fe8be95a6f01f2a6704968c644070c7077703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
871f073fabcd0dc84c280036a95dc34d

SHA1
146e196948f7066a357feab912f2ce44e18c8b55

SHA256
57f71f20c74da4683cc64bd0a0cff8a9543c9ec71fcdb8931ce490a369a6915a

SHA512
d6b6422bdd35fd5e93fb205a421f2325fb0b4cbf555404a9754625195aadf99475f4e7871322f67e88aa136cced7b2ab44d2cf28ce1902dbc5d5f6c964df92de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b12f.TMP

Filesize
1KB

MD5
9664c920ada87dfadb382307d1b9b3b6

SHA1
4ab66bc2021533ed74e664a762984ab0e5533644

SHA256
115295282bdf31aa342dc1cf45c0d1b0e1d7a5c0c6c7c13cd3c303fc17ddda49

SHA512
5d528503c9d84f4769f064a1db8c35a35ffe9c6aba9d2cdf1e0aec024a1d0c10768b83f5aa264fd54200dc8da848fb8a1d8ed6c438d86a9f285b977610394745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bbc7161a7675bc466f0bd330647eda9c

SHA1
b82ed1638ca7dcc83d0171aa58fa8d716ff23d50

SHA256
7a4612756fececb354c9540a7dfeab0ead719e1f4ff07fe7e4c49a6272d78258

SHA512
994ea82d26bb1d5ded4dd438a24b4e97e23821667b396fcf418e549c45e589f50e69c49c66e134c9fd8417fe84cb5d821e9cebab018763a3dd43a6e2d20e5015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7dae1e84ee930cd1891deb48021d388e

SHA1
abb3bcc984537f5f8911de0fa913b774ba194efd

SHA256
04af115798fa58732e97365732db44fd452dc045e09592fc634a62f02060c744

SHA512
b745af39bf40bd26fe26dbc551cf01b39961ca60d957a3bb8954f48d682234bd79d4590f8fa215cc7c9d5de4818abda423b8550ffe2aa1c20b729ccf0fa6b0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
40d59468e92e7bb28f8cc3bc21436ae4

SHA1
290edd1b6541ee3b024d32ac85682396881647f3

SHA256
0bb37c69d38922200364e7e2afd7dac661767d3ee016e8b82d5ec342b9ae9764

SHA512
c0e26ad2a0d7b54441b7d48f1263cf4a30b8303f81631f777b5361d66a35ef291251ca3fbc122732bbf5df1d9025b05c40d25db8679d4dc156edf6bcc04f5029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e6cb2692e9c9578bb981bbe32a2ef836

SHA1
e8778dd98ed2e3e614d064b13494a228c399cd0f

SHA256
6a09c4a7cf71adb6b86a88239d2ac2fa1c52703ec09bd03d70774a705a5a4ec7

SHA512
b8142b9a020fd3989ec21b26a74f7e484db59d98f6b5c5115f89bd9eacebb27581890cc4f850e9e70e04d46eea01cc1d7754e21bc1b550688ff18eb8c79ab98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c9dead393a71d7f120c83ff0ee905e5a

SHA1
8c6d2befc0d7bca1cfaf3cb9652b1b0111992aac

SHA256
9e98be9ce5e790203fccb7948ba48af447f736a2662a734890342ac677319c8a

SHA512
45d5bed94a9262a38d542fc2650fb972aa4c28268d9562f635e90fcdb0cbfe6a8be74fd3c44ed9bc9df43ba32df8994a6ffc82844264a9f165df159f059fc5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5MW64vc.exe

Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jh3wX50.exe

Filesize
656KB

MD5
e6678ffb5e2576ffbb5adb2b0a615715

SHA1
09a9ea7fe7172efc9965dd9f1baa1c8d5965d390

SHA256
f743d4a02501efbe81a994f9a0e33ce3fa1d7ceffa8f440fe908e6423b1373d8

SHA512
cf2718fba41b7d33cf73c7be2181e7e770a5f0d4cbe020a36e3b20eba9cc014cb872e9664559847e45d76a9e813eca911fc08037fa239e2c627f3d8e2145c369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Xu909VH.exe

Filesize
895KB

MD5
c5b37fb1f475734224f7e7163939165a

SHA1
4a3adc3df899fa38a9711d7b62207a458239caac

SHA256
75c06a328709225ea8edf951040e92c41da51d92d16a67eeb11edab3b6ca8b64

SHA512
6f6345b0b94cf4b8f4a1a92c3bd83a3f97acfdadb7c0307d3d7759cb52ac250e50b9f65eb904e82c041abf6e1c9ff090b3a54b1240960c053ed8d5f05c1bd088

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Td1EW6.exe

Filesize
276KB

MD5
6faec323ec516bea59330a5d4b237804

SHA1
aa3768d8b8d9a339f178f3d7e43e614c15489a55

SHA256
7c414a250dd6392aeea893accf314d76ca92df3d1e26e718e48fecff802a9f69

SHA512
b4aff52ff9948d14b1aa6c372818af76e272f6d7797fc8081b3f5d081f614d8bdca1c3a3e190bf34bf3bd7544e11c51e8e6ce41c6610fc1fed8f9433a6593e4b

Download Submit
memory/6580-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6580-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6580-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6840-231-0x0000000007CB0000-0x0000000007CFC000-memory.dmp

Filesize
304KB

Download
memory/6840-230-0x0000000007C70000-0x0000000007CAC000-memory.dmp

Filesize
240KB

Download
memory/6840-225-0x0000000007C10000-0x0000000007C22000-memory.dmp

Filesize
72KB

Download
memory/6840-216-0x0000000007D00000-0x0000000007E0A000-memory.dmp

Filesize
1.0MB

Download
memory/6840-210-0x0000000008B40000-0x0000000009158000-memory.dmp

Filesize
6.1MB

Download
memory/6840-209-0x0000000002E40000-0x0000000002E4A000-memory.dmp

Filesize
40KB

Download
memory/6840-206-0x0000000007A60000-0x0000000007AF2000-memory.dmp

Filesize
584KB

Download
memory/6840-205-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/6840-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download