78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe
Size

634KB
MD5

5d66d2aba93fc12ea57807cdfde0f9bd
SHA1

b3a4709c059137a8f99cfdca6d379435d5e74f73
SHA256

46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6
SHA512

7eb64d383e338e028e7fc46b7705e02610fed7ae12d7a3b9a0eb63952a9ebc3aebed949b277bb10e1d94b5d3ffb482dbff16a926deb0a36defb012e3d7fbd4b9
SSDEEP

12288:hMrXy90BkujYvPGmnqc3JQSo61S9WeQy1INqfJ+PVIRCOQ:SyMkujY7nV3Gkc9n1EqwVIJQ

Score

7^/10

paypal persistence phishing

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/6540-168-0x00000000022B0000-0x00000000022CC000-memory.dmp	net_reactor
behavioral2/memory/6540-174-0x0000000002470000-0x000000000248A000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
2828	1AN83PG7.exe
6540	2FB2882.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002344e-6.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
2804	msedge.exe
2804	msedge.exe
4480	msedge.exe
4480	msedge.exe
4248	msedge.exe
4248	msedge.exe
5300	msedge.exe
5300	msedge.exe
6004	msedge.exe
6004	msedge.exe
5804	identity_helper.exe
5804	identity_helper.exe
5552	msedge.exe
5552	msedge.exe
5552	msedge.exe
5552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2828	1AN83PG7.exe
2828	1AN83PG7.exe
2828	1AN83PG7.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
2828	1AN83PG7.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
2828	1AN83PG7.exe
2828	1AN83PG7.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
2828	1AN83PG7.exe
2828	1AN83PG7.exe
2828	1AN83PG7.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
2828	1AN83PG7.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
2828	1AN83PG7.exe
2828	1AN83PG7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2828	3996	46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe	85
PID 3996 wrote to memory of 2828	3996	46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe	85
PID 3996 wrote to memory of 2828	3996	46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe	85
PID 2828 wrote to memory of 1880	2828	1AN83PG7.exe	87
PID 2828 wrote to memory of 1880	2828	1AN83PG7.exe	87
PID 2828 wrote to memory of 4248	2828	1AN83PG7.exe	89
PID 2828 wrote to memory of 4248	2828	1AN83PG7.exe	89
PID 1880 wrote to memory of 3960	1880	msedge.exe	90
PID 1880 wrote to memory of 3960	1880	msedge.exe	90
PID 4248 wrote to memory of 1192	4248	msedge.exe	91
PID 4248 wrote to memory of 1192	4248	msedge.exe	91
PID 2828 wrote to memory of 1132	2828	1AN83PG7.exe	92
PID 2828 wrote to memory of 1132	2828	1AN83PG7.exe	92
PID 1132 wrote to memory of 2060	1132	msedge.exe	93
PID 1132 wrote to memory of 2060	1132	msedge.exe	93
PID 2828 wrote to memory of 4824	2828	1AN83PG7.exe	94
PID 2828 wrote to memory of 4824	2828	1AN83PG7.exe	94
PID 4824 wrote to memory of 4936	4824	msedge.exe	95
PID 4824 wrote to memory of 4936	4824	msedge.exe	95
PID 2828 wrote to memory of 3160	2828	1AN83PG7.exe	96
PID 2828 wrote to memory of 3160	2828	1AN83PG7.exe	96
PID 3160 wrote to memory of 1600	3160	msedge.exe	97
PID 3160 wrote to memory of 1600	3160	msedge.exe	97
PID 2828 wrote to memory of 1332	2828	1AN83PG7.exe	98
PID 2828 wrote to memory of 1332	2828	1AN83PG7.exe	98
PID 1332 wrote to memory of 4032	1332	msedge.exe	99
PID 1332 wrote to memory of 4032	1332	msedge.exe	99
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100
PID 1880 wrote to memory of 2124	1880	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe
"C:\Users\Admin\AppData\Local\Temp\46054179cb2d9b509f8a1029b4d1b357f32a91ab0af933d26deeaaae266db1c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1AN83PG7.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1AN83PG7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,698376299028432329,1073003039387076746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:2124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,698376299028432329,1073003039387076746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:1192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
      4⤵
      PID:3004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
      4⤵
      PID:5776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
      4⤵
      PID:6016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
      4⤵
      PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
      4⤵
      PID:6084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      PID:6204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
      4⤵
      PID:6324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:6584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
      4⤵
      PID:6652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
      4⤵
      PID:6860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
      4⤵
      PID:6276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
      4⤵
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
      4⤵
      PID:6392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
      4⤵
      PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7496 /prefetch:8
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7496 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
      4⤵
      PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
      4⤵
      PID:5164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8460 /prefetch:8
      4⤵
      PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,6211017184702435398,6203104230453438490,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5972 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14974878324062864586,8443999748416130008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14974878324062864586,8443999748416130008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11551985876197712022,16839014706535622818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:5272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11551985876197712022,16839014706535622818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,213132760252657696,4463414498061421803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:5996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,213132760252657696,4463414498061421803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
    3⤵
    PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:5536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
    3⤵
    PID:5160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:5492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:6164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:6452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa340746f8,0x7ffa34074708,0x7ffa34074718
      4⤵
      PID:6488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2FB2882.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2FB2882.exe
  2⤵
  - Executes dropped EXE
  PID:6540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9746a541c57797a86ce927fe5de1fc16

SHA1
abd4d07fc9d823cde4e5519c5a5ab513fb970dcb

SHA256
b65ab559a58080119b6df127ec34862373ad16c78f5bc01f53350dc806f322a4

SHA512
a5d9b510db29faccb7d7e2ef88457c02ea565366ca07769ee7a510cd2f8c6aab23c1dae91ddf71367291ab21a0b80e2772f25cfca2b1870400933677f57563e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4685f0aad485d0c952d63668dbb08c03

SHA1
4a843b450a2b647e714848734d60b0fde8036404

SHA256
3161eb61b346bd04028817a819412543802571635f56d528995949737e250cb6

SHA512
311ec274eb46c871c26ae8021cc62af652dde65df96f39d5bb11576a10a711ca6d516cdb10fb8eaadb64f0503779a9a4b9cbb4d0665056633b35ae86b195bf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
1bfeec26bcd869a3a42526aba828972e

SHA1
a5c6b25b6e5d1c42b461256a64a931b90810fe44

SHA256
58d48f880324963a0fc5107bbc3453429bc49cd5df1742ed7a7412828239491e

SHA512
9e4d57f51814aef0f17b7a7d404e55afa9e372cfe477b444d32c39b24c8145880ea124f88959fdc984cad12ebaacd3d9c56fe4ca499df195c5301ea6ccbaeef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ffac11fceb4d607ec5124f46ee3c33d2

SHA1
fc5ddee643d2f0a21764f980f88814b45127fc07

SHA256
c7c8c59efe94dd5072b035921c5547e1750c47ff384c105cc00e652fce46ea63

SHA512
c69e6877c81981ae39d7cb11f9256575e0715070eaa367aff09ccc7413fbb91f3510683896aa3d97ddf95455b62d580caa596021d551bf952e55db1c1d1b22d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
99203b299812ad357d0e18483b6dc56c

SHA1
a3e9d526fc8fbc09c0b28054cec4956e9225e0a9

SHA256
159c8d6dd01b8fd1e2772d0cf5f693c86ba944ca97ed2f3a8b8072df89a8cf8a

SHA512
9f8c7de0085c181af91fea7d223d6d7613fe01692213b0a25986df9d0e2b39cd81dfd1124253e39efbca6022f2f45b1fda2917ab8874e9955241616b77294c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97b51e0d5e687c1cfbfed94c00e77641

SHA1
d56a91e40438d29d0345efaa264f408904bf1f90

SHA256
ca14f68a253b4b2b44ad2061e373a16877a8c5653fb80118ff38d00fead48b70

SHA512
5a7504b8b4f78627da115f90f466bdedb57f0211c6138f44469897be6898fef82bb1a1180388cad7f0fb357638c0f800decbb97c60732e8931346975eaf95001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1554759ea95db582a769788e88d7ef5c

SHA1
36f4b44834b426ce20fd6e3cbece42bf8400ad51

SHA256
e60a6f95f9237fb51e1e081aa7043777cc2d9b027dff578259b8503798ac8b08

SHA512
8f2e8072b5a18dee9942431ddc5fe0fca106b08a22b857c93f498a923ad9d9e689822fc8d9a8ce154fe9daabe034027a852ab87152d530275389eeae73eba464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
10df107ac31b2b570a29ca5d167e925e

SHA1
c5d3c7041b7fd4648e7d83f94709efe79ef199d6

SHA256
02c3ddac9f98a0cd3bfc1d6aa13d840f61d6a0bd5bc6bca3fefc9d265477ef72

SHA512
31e445d7035123f5390139565141c535b26fd7b8bcc583859c9d49d8f399e88239f60eff2f4f04a125d7203ca34f514039b7939e80b7d2d8d71b4beeb2c6b6f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
d20255934d3d6c135ed32d75ff1f1600

SHA1
530bf6fd08f48406028a17bea6e31d3f4eca8feb

SHA256
ccfab7a3e4e16d5974efabd1dd8ad373ea317b26f4d5ac2efa9e08a11fa2d10a

SHA512
6fb9a6c8a0f5250ab3e6b89d8b9da063b6318771eb87a55cfa374bc56e7d5e3b05dc82edeed9b23a74cc8c32029485d8f60aa5443ba3b503e7caf7a4a9fd9a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1c8a56cc5d4e59aed06fe27963a73ccd

SHA1
21146c8c98bd87ef5281e97cb6cfc6d48adc383b

SHA256
e4eaa20ac6c9cd5b8de32f12df1d29de58cd8c4532bf028a6a4f6199c686ba2d

SHA512
2b44cdec41dc3e84a8f982d8996f793f3cfc6c85ab815ee2c872792aeaf20587823608e6f9ca9f2c30c8ccd5a0a78250464f1ff8d8ccc77d28af3dc9bbd1d5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
810ed44c412f48006622476e9dfc414d

SHA1
217f5bb978f76463119b0bb67d0fb6e29daeff87

SHA256
77165940b5e76c554c953a274aa7d25f10d5830e3135f70af24530b44c5e9646

SHA512
91c361d24ca00f6a66042d022a14d0876966bfc88ed2c49121d96efea5a8c81a00a37883a60542a8c9ede8e1d561a0c78ca767fb09fc08052e729ec34ebb72ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b6abb2a6b76546f977229549203cb250

SHA1
0e3cad420ce40708bf45b90bccfe1d194fef5002

SHA256
4f1e6bfd2e5f8e8649c4f67ef0d04c2299325ce81a3ab4c7674e50aca69a4f56

SHA512
4f652f75f77e285432d4ff1d1a599ce77aa3e999023afc23963e5f59f1f83a6013941c2bc8c321e0ec7ed234379b36a15be980ab3a25401189045e6c605b17ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e0bb.TMP

Filesize
48B

MD5
32c16487d7ef6cf3a7a9922ce6ea915a

SHA1
c23fb8d0a4309ba80cc4c4c9715a6367ddf43527

SHA256
40d66005f4dc4a6f04163f1c5883cd017e0c9aebed4c4e7885c702492ecb92d0

SHA512
2b6f05368ec2f480b237899eb79996311b200d5039f71a64ce49b6940c1557e6691bbc5253ef77df93eb3b5426ff18a0e8fdf5d0355618d26d670b5ed98eb4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
393c77149f20347518583230a3fd7895

SHA1
13d3425b7f94d52c38f86101f442facc4d831f61

SHA256
8c5e8d75d3daeedb266f10ab4984f49ebe6fa497bb5a2d692813c8cd7a173d95

SHA512
501045e7abb9d94e16fac69058e810da1a2ce90b1cf59499254a52ae33adba9ccfadc9a6b8875c0fce3c58b7cc97debbe12a4dcd4ef369e8f1a0e891e96e307f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7edabeb7ca345f1d2477e1a29e76c78a

SHA1
5bc833134bedfc22d1d343d878ee7c6ed460554b

SHA256
27b402e29bb4d982e5af8de9df927bc1c47025c50958b3fb966492687a0767ab

SHA512
ad0c286f735879c9f3bf3db56c72f05a1c994774213ab4183ed184678cdb12d638a6d6f4f0234ee30989c8c5b10bbc78757e8335d2dcfded185960123269f2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f29993130045e0e5705aa8ec69110218

SHA1
301e1c793ca2300107de70c5db1a31a74085fa08

SHA256
7679d9aabd19781d69016f01e20db093cdb4190dc42e39d5c8b85e0a4d9bee1e

SHA512
3a7ae5f0575b41f145d1ae4938ba11ce5b44d505a6afa1c842c3a5e98d8ea868dbb75b47fdcfd977e66cb85afdce25056d6803c8828d9116083647a10cf37f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
76a0a982c7eea3e055584c43988071db

SHA1
87dadc6fb9b00c16dd5530cc4faae021e520eb2c

SHA256
05278fa06f313334c90f13d39bca2ef213d4da124e115ef1c7211c229260c559

SHA512
ad0af87133380f65195ac46a57fc0944a78eb13b7c37dd2bca1d1972a097f02c067614213055f96729d27b58c98db67d077815488cb4dfafe8af5d88cda9d85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d890de0ca58022b1c80f08c26f0b0af0

SHA1
385df56d1c9da774509928a64da725ec1eb7e569

SHA256
4c59b939bb1f185068e4d8270ecf0569c20f27257571c46d02ea2f06e5b29fd3

SHA512
54b28bd085cbacf6dc98cdc14bf2bf5c1dd04085c281d06c1a313a276267ac0650368bee8275d142435b9bbfb51a6a89ce1afb4362b597726889a030d73f2619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579db7.TMP

Filesize
2KB

MD5
088f218e34a2327a70bc6a9fe324ca9a

SHA1
374f613ef03d76bdbb1d00766564d6639bae2171

SHA256
a84611ab06d8ebde8fcdaa88fe09892a1612e296279e5e859c53f6400bef54ec

SHA512
395bfbd50b91148f58e9093fc32e59872962fbbe40eb52d4ba9f18740eff8223f2677fd43260c7f04697f700e0750b6f8c9b5f29f34e29c70f653faa53bf49af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6543fb35ef43f22ddf4162ecd6c75214

SHA1
267510032227d0da243bde800838d965fa4865d9

SHA256
e9de5afc1c9fef2ee8ca1243f557ecab26e2e77401a3c944314357ad03d6500c

SHA512
dde6ca66ff9b233c36e781fdd97480c20675c75353ad55bc4cf39b6f09f560e11df5d7f0d1a7b341cf45a46c5b5e020e6ba2cb39a428fb06b55985c43d5110fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f740a0f5f5c0e9180b18080022bf03dc

SHA1
974453320aacb3d34a40bdc185a7339ba27a7a08

SHA256
70124ca9adc097ae78c81b10ad1e535a6054b536865583762381dbf6a1dd58de

SHA512
0331b6b0fe0b5b5f1a7a0fcdc88569d1e0b608a73fba637972dd392229f08fdc08845546936cc6d5524e1bdd9d6378e0c12fbbac1a7df1c4c53cc11fbb78fade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
334703fd4e12a7ef0348664368297499

SHA1
09be7672b0bf5f9e84b4606d7af771295b822b47

SHA256
b72067406d4bde78730eecd4ab2c5b07618c433d18f7676d22be876af2a283fd

SHA512
fc3e060976817a23f2a737fc7640ac09079b02f78474669d8640d9bbc05d1323a804ba6a6905dff2991b53efd0b6faa1a368e6d5f918c9eb652ad330854ffb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4967d569363b4dfda316081f82ff2cde

SHA1
43bd15a7c471525393334fa7fd02486f6ac40131

SHA256
418620a817d201182b3c22d9c57ff08a56b61c5716a020934c2aa08101498611

SHA512
591c6d9555cfcb59e6ddca0a0ad07ef5bc4ca4ee6a62a8bb95e4b0a53f69a8066a54b794a393f05d2afb279464ec4952145a65afd1a4641704da112a35285f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6d625d23b972c74e9003771c4166d981

SHA1
2a8834598f85cccb7b15bc348cb5850dd2374e6c

SHA256
6662466cabc23f9b2cafb57cb4144fbb8229f1e0b353c7e9df4cfa6e5ac88990

SHA512
43731931bc6fba55b9c2fd8180e9a213e99b2a60691a4fb3cfe219efa3fdc22ed502e1829e034275a8139c352ed58dbffaea9ea34b95f5e29d81b2696f4fd888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1AN83PG7.exe

Filesize
898KB

MD5
124ec74e0538ff2e1554adeb3067adab

SHA1
43d5a3500b3da684767d3dd2b5e07be8cafd99d0

SHA256
9b857b4f8314a44f72ff6be61bbaf35a9d3a065365b788110c6b7655e2ab1841

SHA512
92bf6aa9cd3b88c15191fbaa0863a03ccb57880fabd5502d0480c27f7efb117ca590c4a3d5cc90dcfd5d184ddb5abcd901af66fb729977ca506381511889b52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2FB2882.exe

Filesize
182KB

MD5
a847e74636951c79a42395dc824cd8ef

SHA1
4c64887bd74c9bb0884b1b6d7bb2da4f230a4b9b

SHA256
6f01b2a805420e727ff9c35fa08285c0a50cbac9c6bdf0ddaa51011ff81ee354

SHA512
163a4f23e9be0aa214957be0e7f342cd0a4248ca350f44a2818789b63755c518489bc3ac9a5b5b4302f3f1aea14eadb0e32ca68ada7abd46fbc3191aec98bcd5

Download Submit
memory/6540-175-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/6540-174-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/6540-168-0x00000000022B0000-0x00000000022CC000-memory.dmp

Filesize
112KB

Download
memory/6540-173-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download