privateloader | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
Size

1.5MB
MD5

cb25b6bd54c4239ad5a75fc6fee281d1
SHA1

ed46e5bebb879516910f09870ebe26bdaa47f23e
SHA256

cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6
SHA512

76928cafffca0716011b44fc29951efb9136b0264b48bf8cf690310244c88de7dc8249e38eba7a89abfa56055e74c09ffffbb463e30cd902ef6467395d79ec47
SSDEEP

24576:SyCKD/kGZQfbnV3frc9jFJcSKUqH8wIJjKHgjp6o9UMDJyudYfoxil:5NQDnVARFJIdcwu2gYomMDJyuOfOi

Score

10^/10

privateloader risepro paypal loader persistence phishing stealer

Malware Config

Extracted

Family

risepro

193.233.132.51

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2TP7412.exe

Executes dropped EXE 3 IoCs

pid	Process
2852	YI5eg95.exe
4728	1Aq73YY3.exe
6228	2TP7412.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YI5eg95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2TP7412.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral22/files/0x0008000000023413-13.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	2TP7412.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2TP7412.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2TP7412.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2TP7412.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6740	schtasks.exe
6936	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3956	msedge.exe
3956	msedge.exe
5036	msedge.exe
5036	msedge.exe
4824	msedge.exe
4824	msedge.exe
5420	msedge.exe
5420	msedge.exe
5860	msedge.exe
5860	msedge.exe
7284	identity_helper.exe
7284	identity_helper.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe
4728	1Aq73YY3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2852	3468	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	82
PID 3468 wrote to memory of 2852	3468	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	82
PID 3468 wrote to memory of 2852	3468	cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe	82
PID 2852 wrote to memory of 4728	2852	YI5eg95.exe	83
PID 2852 wrote to memory of 4728	2852	YI5eg95.exe	83
PID 2852 wrote to memory of 4728	2852	YI5eg95.exe	83
PID 4728 wrote to memory of 5036	4728	1Aq73YY3.exe	87
PID 4728 wrote to memory of 5036	4728	1Aq73YY3.exe	87
PID 5036 wrote to memory of 4856	5036	msedge.exe	89
PID 5036 wrote to memory of 4856	5036	msedge.exe	89
PID 4728 wrote to memory of 3980	4728	1Aq73YY3.exe	90
PID 4728 wrote to memory of 3980	4728	1Aq73YY3.exe	90
PID 3980 wrote to memory of 2956	3980	msedge.exe	91
PID 3980 wrote to memory of 2956	3980	msedge.exe	91
PID 4728 wrote to memory of 3560	4728	1Aq73YY3.exe	92
PID 4728 wrote to memory of 3560	4728	1Aq73YY3.exe	92
PID 3560 wrote to memory of 1960	3560	msedge.exe	93
PID 3560 wrote to memory of 1960	3560	msedge.exe	93
PID 4728 wrote to memory of 3884	4728	1Aq73YY3.exe	94
PID 4728 wrote to memory of 3884	4728	1Aq73YY3.exe	94
PID 3884 wrote to memory of 5052	3884	msedge.exe	95
PID 3884 wrote to memory of 5052	3884	msedge.exe	95
PID 4728 wrote to memory of 672	4728	1Aq73YY3.exe	96
PID 4728 wrote to memory of 672	4728	1Aq73YY3.exe	96
PID 672 wrote to memory of 5068	672	msedge.exe	97
PID 672 wrote to memory of 5068	672	msedge.exe	97
PID 4728 wrote to memory of 2848	4728	1Aq73YY3.exe	98
PID 4728 wrote to memory of 2848	4728	1Aq73YY3.exe	98
PID 2848 wrote to memory of 844	2848	msedge.exe	99
PID 2848 wrote to memory of 844	2848	msedge.exe	99
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100
PID 5036 wrote to memory of 1308	5036	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
"C:\Users\Admin\AppData\Local\Temp\cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        5⤵
        
        PID:1308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
        5⤵
        
        PID:2864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:2388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:4100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        5⤵
        
        PID:5384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
        5⤵
        
        PID:5632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
        5⤵
        
        PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
        5⤵
        
        PID:6140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
        5⤵
        
        PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        5⤵
        
        PID:6400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        5⤵
        
        PID:6440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
        5⤵
        
        PID:6452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
        5⤵
        
        PID:5888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
        5⤵
        
        PID:6728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
        5⤵
        
        PID:7112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
        5⤵
        
        PID:6804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
        5⤵
        
        PID:2756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
        5⤵
        
        PID:6368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:8
        5⤵
        
        PID:6868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
        5⤵
        
        PID:7292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
        5⤵
        
        PID:7576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
        5⤵
        
        PID:7592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1
        5⤵
        
        PID:7796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9092 /prefetch:8
        5⤵
        
        PID:6640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1
        5⤵
        
        PID:2876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3279523480986445255,8615089133666381078,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7208 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:2956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1020437331337729892,2049851883904047519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1020437331337729892,2049851883904047519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14476136281841352154,6318099949141259060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:5052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7545851942565148087,11837572935274807295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,12131223924646441089,13719371567119503491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:1380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:5900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:5332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5fdc46f8,0x7ffe5fdc4708,0x7ffe5fdc4718
        5⤵
        
        PID:6200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:6228
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000069

Filesize
132KB

MD5
3ae8bba7279972ba539bdb75e6ced7f5

SHA1
8c704696343c8ad13358e108ab8b2d0f9021fec2

SHA256
de760e6ff6b3aa8af41c5938a5f2bb565b6fc0c0fb3097f03689fe2d588c52f8

SHA512
3ca2300a11d965e92bba8dc96ae1b00eca150c530cbfeb9732b8329da47e2f469110306777ed661195ff456855f79e2c4209ccef4a562a71750eb903d0a42c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
3363d643faf6f9ba56ad23b789242343

SHA1
8918481434401f178d8a925a4c706ca01170c2dd

SHA256
e64aff59570453da85ff45f5654eeec9f8fbac264fc7c50385f347aa400c093d

SHA512
fc8b7aef70e99716de45c7aa9232941dbee8c1f047bd9ed44f03d56e147cef442631c569e42122ce06b5f37d7019c72c602f15dc1a510bae02872e180f240372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ce36b2b9163324feedec324ac30cca88

SHA1
40350e5d53bfc34bbd8f0a4f1f372160ac68d0fc

SHA256
042a27d77ea97a4977dfa9fafe00792bbb3068a6805b15b64929361baf6e384f

SHA512
f70dbd2b97b91179ecf190e8a5b1ef9d58340af899fa08750fcdc3e2ee8917e0bbf711542179a814cc9240adc270f1e782bb5daf7ee4e3bd810e30a8091f7bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2e85880c22bd4fceb9479243e90858d6

SHA1
eab99b3fa3c70bc8c309050360dfeb4ccffe13de

SHA256
df973288341e80632f38db62a315f01604105e02a217f8d4a19181e56b8aa5ae

SHA512
a829190d53ed75c4125eae1593fd3c3d83e0b87cf08328d411238f397da612622837345d2bf23c8793df1b04c22543718cfbe90900215740399c7def5a3b79d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2a537c541079c5b347331a65f31ca305

SHA1
e171eef240325a95b279b97077ef890b7ac6a467

SHA256
b88b9eba5c991dc066cd03afb17189bee2d78041b9f875f3884f5f814fc38427

SHA512
a0b065ccb9ad44025cb5b607c8ea612416ff658626900094996c8495141a41e66e63b721ab998e6e0f749a3deedfe44ac1127d53876110448053354ed1162944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a2696f4bd633a433ffd946b6b07b230

SHA1
9ff9693bc46b1b95e0d5bfeb82de52d5d0021643

SHA256
b72f22d88775b6052135f49be36233033751ab9428549ac2dfc7c7ed78c9355f

SHA512
6ac65c419fa61ad41e3d1283287432f8e8aa29d242ffc3223c59ca1fc945252f20e5aa8692b5db48e8ce414f48ca0e0b9c5c1b3fbf96572f1f85604fae7f08ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
544c154a4da8900cd9cdf9c87a9b138d

SHA1
0150daf7f12a1b5b11efca72d5e71a0bd52870a2

SHA256
3592e436569c97aef5639965cef3817c40b3090583f4ba202106927742e633fa

SHA512
9bba9cb5c427ef813fe3b484263f855f0ac743a3fb01a5cb42e426f839bcbf4b30160c41e1147dba72ec9f9afd8af34f59fa9a52ab4529ef640ecc6d8b1ab166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a94ee8f436c6fd62df3d19af3adbf70f

SHA1
cbce671464361a4a540e12c939e04d7dadbd867d

SHA256
32bb3374777e1621016d8e8637f213851d510348f61f7815811bec9e576454ab

SHA512
8e0283e6358e64c23aba8a0d8973999170254b6afe07544c8c202d96bb70cfefc34a13e682a3b2b586e9930bb0cd22dc40acdea75e1ebd2ac25c5559794b892d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
e3e4f62ac735197e2fdf38c20ba0c4cf

SHA1
342c873d2062cf86a07252e5ae6d6a227ce185d2

SHA256
1a10f1fb369c3fcbd32a707a12378f0a351e39de720786566a4ee8cbc5e8f2b7

SHA512
2ba6d4ca554c2b821bf3311cecf9efa5674e03fe39d0ab608b38fcd0cb38056434a5eaaaf0b5bf01482c7260405a5cdb04903ec7f2c7d115ab2012173d04e976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
85920f03f5e884424c4671d038d0d98e

SHA1
93d22cce48dc276969d70717ef57317d24bb12c5

SHA256
e9ef8f24e170ed2b482d4e8ea87be3912a29c3d7a0aa74c7434d37cb9566201b

SHA512
c7c1a138f5c2f5d09e0a335a7ae62dfd61835de090aa43da2fccdb698cb5d5def9e1f6e943423b9f00392e076214c64d680c1e6353d524a99e3b1cea75ccd2bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
82B

MD5
4fb8c63ab1bfdf42bacab241c134dfbb

SHA1
6cd84f1ecf7964914a2d8e8b707e8bfc1b2eb9cc

SHA256
a106c2d17ab2e477634d24aad66ee3e48b6f0d0a9929ba4fd5cb4b0725fb9e88

SHA512
a764f752157a852d52f7e8d7570dbb749848b6614adf5f99cc22784e6954b59104ff0ee1a27819079f47103c4bf4e2b5a7633538e94227871caffd0ddba4d9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c125dabc8a580f7d1619915e07962e8a

SHA1
8569c2ccb04b12d7603d21e17cb8b71e77c41199

SHA256
c093eda7d9e8e3f36caa6420003d7d9ee737b78e471915172ad7295df28eb367

SHA512
9e096f6ab6463c07b86efd7577c53b8ba63817b614df3a0134f447556e11eda9e5dc6e013aeb8f5c314a5e7b099837d8c1a3a8af29779c74692d0e6ec676410d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57dce3.TMP

Filesize
48B

MD5
3ce6dc604c6824ca65758085d2bcf6ff

SHA1
5323e58ce0c85b7bb6165ee2248165ab1389a924

SHA256
be77ec3073df6c452d3bb7a496fadc3b02a3289ccdbaefee2c216f90565ad720

SHA512
0c84d6971d08dc21c1c041c4c1d605529ac4b2e30579a9e75c39d63ae48293b86b71762549253b4ca84e22bd72e727ce06e1991f62b72b947b0c93f1ca093f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
bae580dd2c586996716c8d9d78b47716

SHA1
d1d5d74ae7bc8ce2919dfd5f50e33e7ed6baf09c

SHA256
ac6a072943d22b8dfbce3bac4394eea8737d4558e013bff5f253b691b78c96ef

SHA512
f60f39cb2e99d98928359b21a7a66640e9d687eddb5d620d1a7d377315a9fe7cb7c9f33a28dd98a29a9ad220d9e30a5af86831db1b4f50f03bd89dc47822729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
825763c682e48d25889e1e565e207247

SHA1
2c07f1d9a27d282be7ae93ee532a22e00eae83ae

SHA256
dc9caf80e604b0d62671ce8f395558b34dc02a457cb469027463f5d0721c2612

SHA512
ec8a7d4924c9dc5a663c15d126c95a98f3034ccfd101a4bd685af0b39d52e1e5e86744787ed4e9ba6880fd984445d3376ce4bb740ff3f908cb67f6846cf54f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c3fee4d40a715f103f42eed37f3d704c

SHA1
2f47ade5a426175a52ae5f5a1b0add32fb2368ff

SHA256
c2a24ebd975267be86acf902ea317c1caa953424e1049de04667da247079ac63

SHA512
2b231458f9127836e0f3c791a15cf56aa59195330fdf6cba12bc3d8f0e8f3dcc93f140b8ca0312566c04b163b6066cb3545170253f58e27379d0db4e07f29a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57925d.TMP

Filesize
2KB

MD5
d9ed0936322970a0ef0aaf0963b2f3a4

SHA1
d93555e83dd96a6b5c3d5edb52ee6d130035afef

SHA256
4f892661a2455cb56415d183400d61b3040eeba030ce3f5387e633d6f2e61b15

SHA512
27d1226527064425a9dd1be5f47982b99cc9563f86680f8fed96c6f1f0487e42c14b6c596c41618c0129ae227f1f171bf6f8a98c7db4e538f92f02b4abb7a025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2608d29e2521ae89f38b72327fe0fe1e

SHA1
fa2e8853f87531c5ba70230ea6bc88d6e3cb8c43

SHA256
41dbff57d8f96e2ff2f0ccfebe042bd45ad9e1cc75ed7e5b1947e7e67ed5b6c9

SHA512
fc0eb235067c10bcdf0706091bffba3d64a0ef4283b9fc8356d2f3d084bafd63585e48e82549b932373527cc5306946f4e6870b45f36f1f82a4adb30ca128bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
acde53d193aa7c2ad66fb4da6b8a44ee

SHA1
c834b2c8f052b564433efdae549864e7d8fc5426

SHA256
aa8ab8fd67ec14d21e001dcc35c10fd90d144961f8b9da6eae71ab4d39e1ed67

SHA512
0459972751791a4937f73579ea149ac66a41fdec38db8c5a85ab9a6ac5d0a1a13751c7c397ee80f08a949727b6db8359a26a7d35a0a41ccade55245f34e0a80b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
600a604c73e7c1b2484abe29f989dc6a

SHA1
342d55a34c2509caf771211e03ba467b75ad0951

SHA256
4e31cab8cc766f17ee90646c1602034e9d91880e407eacdd4d07e1714cfc2e68

SHA512
31e2093cb8411b2935eecad6f9d3af953d3aa5b4b1025140ff6440e1728c70ba82e5b5be538ee92460937840d6a988bc77dedbff13a5a2c8318bf357d6833586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ddb90c0b4d08a1c401e446b0b7ffa2ff

SHA1
8cdedf61dafeedc2b31a7c792e5d2476c0d1a052

SHA256
a5b924d46ad20a0dbc068368e60f931c2ffced4d741347d5944ee6481878c0ce

SHA512
bf1eaf2ea865cf9b336a8bd8be1dcbaca479e23147386da08492da6bcae69771e8acf451fbc9c77fcb541106d9bd44c843a148e7ab0d6b93f0b42621c9c05efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6296b8530b8532a4829c05b900dbc2b0

SHA1
ebb4b9a104121db81061cb667d59ac6f21a5765f

SHA256
92488e90e44a4d5e5d14e7692817047b9a69be61bc7358a9538f306419df2bde

SHA512
71d37cbe789b3214be84cc5799f426732da54806779c91871c4b88a5c416904affc05136a47d9fc2f2be319fc32167d1c26d8927f997b7290c5cd9627e8980e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YI5eg95.exe

Filesize
1.1MB

MD5
9e20193fc19f711411f6dae741e5a1bf

SHA1
43c3139d7acd376f6ece1f27c4b7cae9049953a6

SHA256
b46e851e7d190d089c5d11ea491210a8c9513732b570ab3daced4248ce850989

SHA512
8f894c12f52767bfffa351238b71dd5eb4ddac9628941f1ae8b7d1d82ee2383214bf138e6d91957459170551982688c0209ba8a8f0bfe29753e9973a0ba74958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq73YY3.exe

Filesize
898KB

MD5
71f028e5330a0ccce91e0b72b629e744

SHA1
36a33af63212775aa9cba97b8a964a4dcb7933b1

SHA256
2f99da83c180a05bce5063b12f2394abebb9995799d2c4452f28370e6d436aa2

SHA512
845e23b1a26177c025b546011148108accb1724bc29ec91a7e608c09b18a6f4d413f48a2f87f341142231adeef9fe22b1af11d095b0cac3e49cd0b8b91d257f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TP7412.exe

Filesize
1.6MB

MD5
f8e7488fd4ced59d6eb387447bc37430

SHA1
560ed0a592273875ae66a93efd611f76a9da7ee7

SHA256
30d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347

SHA512
0e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2

Download Submit