privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
Size

1.5MB
MD5

cb25b6bd54c4239ad5a75fc6fee281d1
SHA1

ed46e5bebb879516910f09870ebe26bdaa47f23e
SHA256

cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6
SHA512

76928cafffca0716011b44fc29951efb9136b0264b48bf8cf690310244c88de7dc8249e38eba7a89abfa56055e74c09ffffbb463e30cd902ef6467395d79ec47
SSDEEP

24576:SyCKD/kGZQfbnV3frc9jFJcSKUqH8wIJjKHgjp6o9UMDJyudYfoxil:5NQDnVARFJIdcwu2gYomMDJyuOfOi

Score

10^/10

privateloader risepro paypal loader persistence phishing stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2TP7412.exe

Executes dropped EXE 3 IoCs

pid	Process
4784	YI5eg95.exe
1420	1Aq73YY3.exe
6280	2TP7412.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YI5eg95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2TP7412.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral22/files/0x000800000002342e-13.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	2TP7412.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2TP7412.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2TP7412.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2TP7412.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6600	schtasks.exe
6680	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
3208	msedge.exe
3208	msedge.exe
4532	msedge.exe
4532	msedge.exe
2056	msedge.exe
2056	msedge.exe
5328	msedge.exe
5328	msedge.exe
5592	msedge.exe
5592	msedge.exe
7120	identity_helper.exe
7120	identity_helper.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe
1420	1Aq73YY3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4784	1144	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	83
PID 1144 wrote to memory of 4784	1144	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	83
PID 1144 wrote to memory of 4784	1144	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	83
PID 4784 wrote to memory of 1420	4784	YI5eg95.exe	84
PID 4784 wrote to memory of 1420	4784	YI5eg95.exe	84
PID 4784 wrote to memory of 1420	4784	YI5eg95.exe	84
PID 1420 wrote to memory of 4532	1420	1Aq73YY3.exe	86
PID 1420 wrote to memory of 4532	1420	1Aq73YY3.exe	86
PID 1420 wrote to memory of 1452	1420	1Aq73YY3.exe	88
PID 1420 wrote to memory of 1452	1420	1Aq73YY3.exe	88
PID 4532 wrote to memory of 4248	4532	msedge.exe	89
PID 4532 wrote to memory of 4248	4532	msedge.exe	89
PID 1452 wrote to memory of 2008	1452	msedge.exe	90
PID 1452 wrote to memory of 2008	1452	msedge.exe	90
PID 1420 wrote to memory of 2940	1420	1Aq73YY3.exe	91
PID 1420 wrote to memory of 2940	1420	1Aq73YY3.exe	91
PID 2940 wrote to memory of 1640	2940	msedge.exe	92
PID 2940 wrote to memory of 1640	2940	msedge.exe	92
PID 1420 wrote to memory of 4948	1420	1Aq73YY3.exe	93
PID 1420 wrote to memory of 4948	1420	1Aq73YY3.exe	93
PID 4948 wrote to memory of 4528	4948	msedge.exe	94
PID 4948 wrote to memory of 4528	4948	msedge.exe	94
PID 1420 wrote to memory of 5032	1420	1Aq73YY3.exe	95
PID 1420 wrote to memory of 5032	1420	1Aq73YY3.exe	95
PID 5032 wrote to memory of 4184	5032	msedge.exe	96
PID 5032 wrote to memory of 4184	5032	msedge.exe	96
PID 1420 wrote to memory of 2320	1420	1Aq73YY3.exe	97
PID 1420 wrote to memory of 2320	1420	1Aq73YY3.exe	97
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98
PID 4532 wrote to memory of 1032	4532	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
"C:\Users\Admin\AppData\Local\Temp\cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:4248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:2
        5⤵
        
        PID:1032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
        5⤵
        
        PID:3580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:2900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
        5⤵
        
        PID:2872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
        5⤵
        
        PID:5360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
        5⤵
        
        PID:5632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
        5⤵
        
        PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
        5⤵
        
        PID:5972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        5⤵
        
        PID:792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
        5⤵
        
        PID:5316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
        5⤵
        
        PID:6440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
        5⤵
        
        PID:7036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
        5⤵
        
        PID:7044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
        5⤵
        
        PID:2860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
        5⤵
        
        PID:6304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
        5⤵
        
        PID:6700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
        5⤵
        
        PID:6860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        5⤵
        
        PID:864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
        5⤵
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
        5⤵
        
        PID:6460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:1
        5⤵
        
        PID:6468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9192 /prefetch:8
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9192 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
        5⤵
        
        PID:5748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
        5⤵
        
        PID:5832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7544 /prefetch:8
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14721978611431538213,17439122779555572852,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5652 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,3335541141646410468,5121111669551376659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
        5⤵
        
        PID:2500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,3335541141646410468,5121111669551376659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,13058514159472282982,5505323392928249828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14955093640524805761,15786024491595470728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:4184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,9670831861107945643,12780983787009611151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
      4⤵
      PID:2320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:3600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:5044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ff9053046f8,0x7ff905304708,0x7ff905304718
        5⤵
        
        PID:6248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:6280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6600
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d45dd94111da9d5141749a93831d7023

SHA1
5143fbf9872b6e27eeef3a5871f17812cad37b6b

SHA256
bc6236d9ad2dbc53474a5e76596c99b73af5e8fde6aca2a955a1fc9f32e55c0d

SHA512
c11c8a44a0c66273c7c4b48eb99abc93ee7422573675121e96a4075420e8c207993d9db2a831f3e696dda1d4eaccde9471a53c8ba17f92870c11c5a2da145d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
77d7f7167bf9dcc7a339c1d51329c0b0

SHA1
6c8ed8eae09705eabf17a879b8ab0f1a5af24dc1

SHA256
4de284bab4b9312c1a9aecfc1e81d4f0279c97f2c341f88dd8efc287193f1385

SHA512
2a788ab7eb2d788a3f9036fada668abd0be6373d860dbe6ee2d6b3b404c1e305b835a4f63b4ba4b86cf481067856f939fb410792c639e12b3e4ecb12cce570f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7b971814b6fb0d2c18c9fd80aecc7606

SHA1
81f0574cc44ab5c67f7b474285b84fb18397a15c

SHA256
98541e8b6206e030648dc909f400827918950e58b6985d3bff072f211bde368b

SHA512
74890f230fcf3f78daa18e1c4ccd4fc73141d77d4d4e6f236da834f02ecab695230aac852eed32323a36ef601e8b1b5e5b3c6904c0dc5acd5d8f86b945aa5dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fb875471f140e55f1f8bbb470ba212ae

SHA1
8b1ac822d56c107f9cdd019e9f344b6dbb38cdc8

SHA256
a4ec4db8a52eebefdaa6885669f542f4066ce881e8d9f9967dacfd7bbb34193b

SHA512
7068b2cd5fa638f0919b9498bdc47493f1aa87f9d523c18aa0d1f8f19f7bd7ada1d1ee4857b9e9c42293015df1db67d170cb4f9add62178093d9703d6e9de9b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9316b9b78f169c7eccdf1f7d555088f

SHA1
77b3743fa380fbfbbb23932ac5807fa43afcc20c

SHA256
f12fe7b3eb87f01ad654bf0d234c76e9d0a6803ff656b060f0e2cd6c3c8065d1

SHA512
c7699a1441b9bd368ccda4db7bc67bca2a16a08a7ec8f8ea8bdc132646217d576a20c0fc92d62baac99c55d02f5f289e02f185dc20ab4eff871d36cd4e9ba995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fdeab20095ef5022aca80c150b81745c

SHA1
14c5d8e3040a3e450e4fa0d8d94e14e8d99d4025

SHA256
51edba39fbd51178525555051bbe1306a7cc71adce395228d26cae8c2345385d

SHA512
3ca54bb5d331480f17681ac694553b7d69c0bacc4ac1b8c9a06fe4e75f834c024cd23a250fff08bcb919b1956dff57d60dbfb7b47bf719d6a1964b4f6c61e5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
14d83f3394633d6ec604286d016ea722

SHA1
5106d8a3e63cd142c8f439da7f522d2b5a20e995

SHA256
0f43caf047edb21918f36df735c383b22fc397fb4d72a8fc7c04704e83171898

SHA512
ffd6691bf181e5198ee2c602df7418ff71789c6b507d18eec45d10180a4930f34c7c2b7d11b1bf5d333888da6c1a7e146a2236d83da43767949874fb4c007e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d500f59edf73d385c6a997af0db4b907

SHA1
8d48e4f399af9825b1712a6036b6f6f26e2f1d10

SHA256
887e8b1540e94524742fe3e3d19977f11896ab57bc4d7b2a7fe34067567386bd

SHA512
b9869382d4629f7b268bb65794a4541f26b75530f9ea013fd5f5f5d920a9445cd2d795de82c68a9ec55ddfdd47732ce334155108bb1fc0b8980bb01a7991dd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
95bc24fea528dc7d3ec0a5b814b0785d

SHA1
0295a3816f50dd423b37ce521a56013d9fce46e6

SHA256
9cc7a0a3fd80233a19dbb2870b9c067ed976b81a706e4da6fe48f0e041809973

SHA512
8d95caab210d13fa12f5f73e29c6f56642d2f79c19218d7289512d535c101b03cc9aa994059d2c626b180fb992688a4270d545824557765f64ee724441985290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c3bbd2819fc823c239f3979f3fd83b1c

SHA1
08aabcbee87356d5e4da4d1011e0c7a513dc02fa

SHA256
5eaad68cb9c02d542bc767a65ba35edfa6e13494ef9dd156e902560831cadf5a

SHA512
9b11733519ee462c6cb908527ac9df87fc9633a970190f9ef14602e612222436821a046edb7395663f7a5cbcdda72f0279f49e97ad3b6e82472bfeb519759481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
b9418d59d7c038521e23ec9d83e19e64

SHA1
d4711ad7d80c4f3fa00a75325f020e479c747699

SHA256
b221d7f6898eabe61c910d0f2b922e5903a2be5ef3f90e9af26f0585f385c0d4

SHA512
a51631fb688ad2c34a2badafb1a761822d1da8e72888ba6c23e6016ac54251568e4feea79a42d24b9a32a88043ae7b88667f2a8381e6d7f23d711949031e209b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
49e5d8774d7459aaf633e9e5d4397c0b

SHA1
a26fc8aba735b062fb9162733702c9565401241d

SHA256
049b36bb0e8976869d64c6cddbeb2d1bf42b9f701041ed6402d8d29c69f04236

SHA512
9f599ca2e52a3c2931290f7455d25fcdf73f12e082e7a75772a8862843c096aaf3fe457a116321cc1e0c787d73fb912a5e12d83888d6c7a925cfcf31e43cfc5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5813a2.TMP

Filesize
48B

MD5
15f6809aadd6da0383f8beef1f976f74

SHA1
c7869d8047f077b0bac9cc988b0300a361fd35c5

SHA256
83bce42328670d734246b38990843c39b5bdcbbc47f9232a80abe508cc51eaf4

SHA512
7b6e5ee651bf3c955b954dd64aa0e077ac2437fbc0d596494a25dc504b40218fcd895aefb01fea36ff3e99b46dcfac3a8f58503628d8d07cff6b0f8c58afa950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f793b8f3b91c4f564262351d15810ac4

SHA1
aa84d897630b8cd4d43e09af1b4f01550f0cf13e

SHA256
96c3867641a1dda60a78af63fe4feccf953f9c410794223fc45dc61f772993f9

SHA512
9e1a4b4f5609b9e2499a87048785051672207ed193d17c5db4067b7b8b940df90bd6114545943c3039a543908e638cae52700df0e932fb3a455133e570967d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e41d494f6611a1388d835b47fda30171

SHA1
7320b02ba1739447c976aa1b13b4cfe95a0c14c4

SHA256
f0912a27012ff1ef84c516e12f807b34b6dc1b8befc902f01f749b6e07488ab8

SHA512
72de5bafa24ca4893c27705451eb8e59016a865b43b80d4e442d9d80fa296b93d02e8aebb398c2102c55773d9e1ef68e08a81ee2ac004dea6fa8e83b5d7537d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4e0d8fec3b90dc9bab1a05007b7558e5

SHA1
e0d59d4ba316ef2c99c5dc852d70525cd87d27b4

SHA256
1a2e2ddad742e782bf8d8348dcf1592928a889c4c8de2b6dd12e1d53810a5692

SHA512
e03a34e690a600a62790f0c2cd4df0bb23aa7e2b03d974f04d557b04040d5dcbcee6e943c38213da2c980809f1b56515c7b6b3629f42c6b1cb79972ad14cd677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a125ef6c00e842c86126f33145764b95

SHA1
824fd32f86958eb5c337f7d23d9f4a80e394205c

SHA256
d707bc9defe6f1a72a7be4b3ef93f227d6abcc64ff97bc03673f51cdb32530ba

SHA512
11a93b70aa800ea6d719c5c52c580f43f608601a8cdf9168c40c5fad00a923959d53f3b6d74c61ac8df1643eaa5b67059ef2b49971bc1e322b15984a7e396c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b0d1.TMP

Filesize
1KB

MD5
828ee16d81e5731f6ffe5fa1d45e0812

SHA1
4bdfba0747ea0d68d1ee152601f16e9cc071b92e

SHA256
67864aec844b021b3ae9636d226647681bb8855de75d23db9f7e834ae2dbdeb1

SHA512
7f0a1bd55a815a4a7c7a511a19e8b416b2ed3d4cacbdaafff290c3a45bf18fffad49a9559ed93b0188fd1ef709434557a936d1a1dcfb4da431c7ed25ec0a0a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a43d509db1a2a8bf4a7e9c714d0eea41

SHA1
c86f90852ce703a3d7124980564ed14cc12b0b53

SHA256
50d1eb9ecd98fa60845f18786ab4d6ce5369fdb6e33897f763bf3c9f622bbb78

SHA512
45965947b4773f21b3c047d08f65e3f71588e435eb31e3f8546e1706e45d400a432df7a9f4e2a39554e822da13a7ec0849a964e418523d45a15c61df66d5c272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7be4c0d82ee54759ba78488eb588c434

SHA1
b1f5c58ce3da2852d70bc3a29c93f7eb1915cdfb

SHA256
7f6d26e8b2f5c38ade0b0bd1e80b662b0ae80f0a7788d2d01d6c9298607a70e4

SHA512
9f8a6ef49917158e1f52693c14bfbc0117f6fba4a9847813c03dae9da90d6b0b0ab9285878f4cb3bf932b0caae23f8f259140f2a4ba4aaf9e4d58d5e31940367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cd7f183922ad7951c827b4982dd1b0b6

SHA1
ce15b94c12fbe2bc7a23e97995346d9bc9543a72

SHA256
a6fe2d613de0a25453984d546e84f7834bcb3fc4ed16017d560f2fb4a1cf1eac

SHA512
831d213bf3262f33c14d7ce1c906cc764a355cda0c7ca029daccad85305178b59e27d0ca9193acb2a204f7702e7cd11a9c5f1f5ac67421900a6cf1734b1d4bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
579e7e327a9ff790d6b05ece3469d5b3

SHA1
96e94c9defbb22c312b92d2a335d87128c4817df

SHA256
310b833b8fe5ae959e681b8c9b4acbc5c5256098236430903dba114ab4d85d9a

SHA512
65089f2d5711027745d57a6dbf95c16e175595bfa148c28aedc8ce7e7db5c56ab4ee5f3f58785fe8cb6a342b5c82c68422144ef737c6cd6d3c18afd0b8fbcf26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3652a65dc0726792b7a377899c38f3c9

SHA1
c9f2b4e7c71924b0cd257ba4a449dcd4ca1acc35

SHA256
a2fa6b42f1ee5ca70196c9d652581bfbccc39cf3ba4dd6e18ba99860e096d53b

SHA512
7dfd857f8e8b3fd3f7235c88e2eb4a33fc67c9ee5e2b4450bff021ca52f206add773cc8feb6aa3d46193f08dce85e79f89cefd0f35f7108c34233f6bfd1a00cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe

Filesize
1.1MB

MD5
9e20193fc19f711411f6dae741e5a1bf

SHA1
43c3139d7acd376f6ece1f27c4b7cae9049953a6

SHA256
b46e851e7d190d089c5d11ea491210a8c9513732b570ab3daced4248ce850989

SHA512
8f894c12f52767bfffa351238b71dd5eb4ddac9628941f1ae8b7d1d82ee2383214bf138e6d91957459170551982688c0209ba8a8f0bfe29753e9973a0ba74958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe

Filesize
898KB

MD5
71f028e5330a0ccce91e0b72b629e744

SHA1
36a33af63212775aa9cba97b8a964a4dcb7933b1

SHA256
2f99da83c180a05bce5063b12f2394abebb9995799d2c4452f28370e6d436aa2

SHA512
845e23b1a26177c025b546011148108accb1724bc29ec91a7e608c09b18a6f4d413f48a2f87f341142231adeef9fe22b1af11d095b0cac3e49cd0b8b91d257f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe

Filesize
1.6MB

MD5
f8e7488fd4ced59d6eb387447bc37430

SHA1
560ed0a592273875ae66a93efd611f76a9da7ee7

SHA256
30d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347

SHA512
0e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2

Download Submit