mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
Size

880KB
MD5

cd2d434c0c751497d16291ea2d184d4d
SHA1

faf06f2ec5fd9633fbcf28bc6218da57d14b9f05
SHA256

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638
SHA512

eadfc92878c68021ba3623e388d19eaccee4d265bb9e945266b070afeccf06ad3c988d1e187bc079e8f5b7c05bc1ab3d71ee218d4e17a14d9a9962a1ac7ee63f
SSDEEP

12288:dMr4y905aVkPQUH7ae74IC5UpClHGghPLvXMXiYQODOc5tVbXrOtb8CXYca5UzSj:FywJH7aeUIsACtGcPYDtXOlEUzS7n

Score

10^/10

mystic paypal persistence phishing stealer

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/6708-918-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/6708-921-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/6708-919-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
3368	jz9zO26.exe
1712	10Oj26mz.exe
6312	11oE7970.exe
7832	12lW741.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jz9zO26.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral7/files/0x0008000000023454-12.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6312 set thread context of 6708	6312	11oE7970.exe	174

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
348	msedge.exe
348	msedge.exe
4808	msedge.exe
4808	msedge.exe
3136	msedge.exe
3136	msedge.exe
5336	msedge.exe
5336	msedge.exe
5360	msedge.exe
5360	msedge.exe
3524	msedge.exe
3524	msedge.exe
4372	identity_helper.exe
4372	identity_helper.exe
1008	msedge.exe
1008	msedge.exe
1008	msedge.exe
1008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1712	10Oj26mz.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1712	10Oj26mz.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe
1712	10Oj26mz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3368	1228	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	82
PID 1228 wrote to memory of 3368	1228	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	82
PID 1228 wrote to memory of 3368	1228	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	82
PID 3368 wrote to memory of 1712	3368	jz9zO26.exe	83
PID 3368 wrote to memory of 1712	3368	jz9zO26.exe	83
PID 3368 wrote to memory of 1712	3368	jz9zO26.exe	83
PID 1712 wrote to memory of 3136	1712	10Oj26mz.exe	87
PID 1712 wrote to memory of 3136	1712	10Oj26mz.exe	87
PID 3136 wrote to memory of 4984	3136	msedge.exe	89
PID 3136 wrote to memory of 4984	3136	msedge.exe	89
PID 1712 wrote to memory of 4696	1712	10Oj26mz.exe	90
PID 1712 wrote to memory of 4696	1712	10Oj26mz.exe	90
PID 4696 wrote to memory of 1276	4696	msedge.exe	91
PID 4696 wrote to memory of 1276	4696	msedge.exe	91
PID 1712 wrote to memory of 1816	1712	10Oj26mz.exe	92
PID 1712 wrote to memory of 1816	1712	10Oj26mz.exe	92
PID 1816 wrote to memory of 3532	1816	msedge.exe	93
PID 1816 wrote to memory of 3532	1816	msedge.exe	93
PID 1712 wrote to memory of 4268	1712	10Oj26mz.exe	94
PID 1712 wrote to memory of 4268	1712	10Oj26mz.exe	94
PID 4268 wrote to memory of 2560	4268	msedge.exe	95
PID 4268 wrote to memory of 2560	4268	msedge.exe	95
PID 1712 wrote to memory of 2692	1712	10Oj26mz.exe	96
PID 1712 wrote to memory of 2692	1712	10Oj26mz.exe	96
PID 2692 wrote to memory of 3348	2692	msedge.exe	97
PID 2692 wrote to memory of 3348	2692	msedge.exe	97
PID 1712 wrote to memory of 5060	1712	10Oj26mz.exe	98
PID 1712 wrote to memory of 5060	1712	10Oj26mz.exe	98
PID 5060 wrote to memory of 4924	5060	msedge.exe	99
PID 5060 wrote to memory of 4924	5060	msedge.exe	99
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100
PID 4696 wrote to memory of 4560	4696	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
"C:\Users\Admin\AppData\Local\Temp\5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:3432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:3240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:3968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        5⤵
        
        PID:3824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
        5⤵
        
        PID:4424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
        5⤵
        
        PID:5420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
        5⤵
        
        PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        5⤵
        
        PID:5832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        5⤵
        
        PID:6132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
        5⤵
        
        PID:5680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
        5⤵
        
        PID:6188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        5⤵
        
        PID:6464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
        5⤵
        
        PID:6572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
        5⤵
        
        PID:6664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        5⤵
        
        PID:6972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
        5⤵
        
        PID:7044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
        5⤵
        
        PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
        5⤵
        
        PID:4604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
        5⤵
        
        PID:6868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
        5⤵
        
        PID:6872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
        5⤵
        
        PID:4108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7976 /prefetch:8
        5⤵
        
        PID:6340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7976 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
        5⤵
        
        PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
        5⤵
        
        PID:7324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
        5⤵
        
        PID:7328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5900 /prefetch:8
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        5⤵
        
        PID:6088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15776326047797345412,13718651753855221128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3004 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:1276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,10983665759163404311,3726590264158534190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        
        PID:4560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,10983665759163404311,3726590264158534190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:3532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,14873127409414453999,6395699645834087923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,10191769134902438770,7579079193985506847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:3348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4919599518652678352,10702860265604051945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:4924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:5280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:5848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x180,0x184,0x188,0x15c,0x18c,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa508946f8,0x7ffa50894708,0x7ffa50894718
        5⤵
        
        PID:6200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12lW741.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12lW741.exe
  2⤵
  - Executes dropped EXE
  PID:7832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2b894ee543935ab078cc8b36b0207ae5

SHA1
6be90300a05bf2e8a601c82d95d4e0a1b9543b98

SHA256
1a5f688dc1c58ca7c7e762184b2709082cf97a36f3926c9de9c2d1dccf4eb48a

SHA512
8919e5953ebac5fa99d1e276c7801d21cff1fd22929d0b85fdd4c9329dfb6b10adc99c63151583bc1cd0e742bf3417c467cb305f5175ed5c2a33e445a7c2488b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4e2bae47d0ca43ad833c5a6ee50b61db

SHA1
832f9e3610337b26ffe4ae5242892865c984958f

SHA256
272a972020a969ee8741f100e5c742d61394dac62d18d7b7d7dfdf68c8086df8

SHA512
64c4169ce765a5d7005b498967bcec1766953988eb015e6d2eec9b8433c6ab8d80df4fd270e6c1c41ab9c7d385996c2da84871bde21a7a80d4308154fd6afe17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2235ffed5b2d04659f94d64bc834edf0

SHA1
a2773703d4f7ba5dd765536da2811f85ef3efeef

SHA256
70a9205a118f4eddd23f1171b8464e9255b1c886390114fd2b6dbb78d598a6fb

SHA512
6f2bdd807d6cb457977639f6a59a5739a1d916be3945d78fff8e8c36c1b01704aaa3eeeaf5dd3fc01d07e651cbf80a947c1b2f318c13e164165a090bbe1f1742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
781bc8047803043ed3db38900b4e42fa

SHA1
905572645a092df43acc3d0eeed50fafdfc63d6e

SHA256
2fa5ccb484b560ecd3fa7bd31bbdf252ec800b3ed65b52585f5f44c5e338c65a

SHA512
e0e3977758014857aa7160ef6ca36c51981ed5264b5c90b061d658d7bc561b20309017fc243d9cb72beeaa5fc6a9a0c5deb10b45180be112ada95c69e57c68d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d980eea3e026d550869d7ba5f59bae23

SHA1
e5988d6bf88347371584c38451ad962200a43192

SHA256
44cd0251308f0e74061b9cda0773c095613990574b10906b2b6d744ab1436214

SHA512
2279e834b1b6d43cffa4d983acaabf5ae5fbd96344b803866301b5b1a9410972851f85c2fd211ef212ccba72c1e4e0f774a10a8801701673f1bc5182c8c0940c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7d4e4408cb7b4ac94da27e57482212d0

SHA1
882cf835026fed6c089f3370cd11a3de173194aa

SHA256
3e95e26062243e1b148fbebca3fa1a752041322e4c31d83002c59a9b9ee87618

SHA512
8c3b11458a39fd88bed4ebd7a55c70be4230c902e8d33a40fe80bebb9d48389abb13a2b0d41d101fe49989388d5af929e28412da14fe283aec9f85034af8c449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f23a2cc13199c223e14d6fd2a83fe160

SHA1
399c31da53c44b147547eea8d2f1a84047a41922

SHA256
2d36fbee26e9d567ac4c29a281573bf939b9a0c022d10e14506b06289d120701

SHA512
90b0bc9bface78dd9129d1700b6a7f5ae4bc95dc7d443c763de1f2c0cf4b67ec811e5f5f3333697a22d21a06b3032b489c6221d5350a460a732228cec56769de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
78643547e2ce451df9d0382b6e72bea0

SHA1
9fa592cc58d7bc0ed7761705a7e266b4b82ea25b

SHA256
4c9d533641bf170a7c623757e6476b08eb8d27eb2edec9ed5fc9480678a35796

SHA512
19032279491e0b45815d1aa59cc8d8e835e1578cb60ae8cd9d6e5370b90d3ae471823559134f4841eb3da988042746b513f4b97f828f029cb4e3eb17bf4161ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a4bc439c75779f79b721491544ca1246

SHA1
388b57253ca854285598ab154123a3d9a66ba155

SHA256
a652af93972f7cb0b0b3afce0f2c53406f4ad718f25a3eb666bed06f83973b76

SHA512
b46b451e455fb713d57a2948bf326a574566b560254b3de2a27981c15c3da60a4ab2b41541de2957a2643a7a0592c7a11b874a52bccbdf5cdbb843e2370f0c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
59234abfc00df4192c8e559bd3b2804d

SHA1
351d556bee05159750ed1363ba84d8c5ac57dfb4

SHA256
979e6853d3dbcf9401f53f2e8470a026ef4cd77b13e4bd3860bb2d68b6782af8

SHA512
b017223413702e907ba230416de3312340df6e02c9e311568c41cf66bc8fa571d7ad4bc0aba18dbdd5ae35ba68025f500a86b3a1b9b36eb98581367143451982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
063b197f623c9fe605af89c3649b4615

SHA1
7a7c5b1984bbcafaa12141de49a6ced79da26f22

SHA256
5544f44832f00f0287077465864627b519a0c8db7d7be42e9eff34a86dc5247c

SHA512
7f9d089a37dd94db7c04d3c7fc679f162b5ad7ea43f91ecd0e4e2e17c11c5c7cc4b37d86227ad03bcb3bfa49b727e1885ffda03cab5a3e4276c45e4d3d02b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f8d7.TMP

Filesize
48B

MD5
b32294b93f8cb332f861dead4c1d76b5

SHA1
d428475dc7c2c9a950b63490da15a0190bca1c97

SHA256
0feef776ac66578fb7c2af63e5436d0d36671efb9c8f99ddd4ff103cbc7341fe

SHA512
79777cfa539a83e9da0322529cd37968f89a0b234e56de9dbc46803e87d463d8e8b33fc5813d7eff0238f4a71a0c3d839752afa2d1d06cd7d80d75ffea073615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6569755565a74ad1dc01256095c3dc3f

SHA1
07c53419d90efe8d1c5e472fc74dd053ccb5a125

SHA256
81e695ad16690b87386f8185dcce32a70690f2c960c82d02e6a55a8f8fa6a645

SHA512
1adae289e967c5bc30df6ebed6b83f6c43628a01bcd1588d22a7d8007515d643632045759a6304371c34dc800456dbe8a5ec0303ea28edd65dad1bbc5414354c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b1569abf30807129208c5f01bc1efa24

SHA1
e16eb1529c5323b5b28fce6cd57a4782b9f2a9fa

SHA256
dfae1e46369fa74c503c430666dd39e9341dd22ed9c364a6c82eca7abdd2dc03

SHA512
b9fbfacf3cd1747d90760e4a7b7de3ae6e24940a19aa7bfae6640be6b98c445cb0a5d155830fcbfc19a8ee38c5248d6e6ca1689100cb2cf1f0a35f2fc3e9f191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7b651581d7ddea90e86e307e975588ab

SHA1
c22b6ca1239bff409a031746604db689feabffa6

SHA256
6e13a206780b3afad30d0b283dcef5d1fa1b384175be5597607b891127fc01ad

SHA512
24dcbbf7a5e68d89391b4c5ec424cbc7a7709c0ab33ee6ec1bf9bbec959999a78839d4f0c66b14457935eb3e531d76cc848bb95b68dbba522bf8b8c52cefc914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5796e1.TMP

Filesize
1KB

MD5
7dc6b923ddbc787a19495068fb082bdc

SHA1
a1d52b643edf4dec2dab290130ea0fe1a0c22731

SHA256
0f5c1bf5300cc2b138b6593b06ad6101c2def0cc802e27351c673ea2aee4f9c1

SHA512
a7824d0a60755632bde3c70b8a66afd4a3f70e8e21b210d2d89490e453fbc3f6f70432d9e2d9f7e013147f1c3b4dc343bdf2948eb03b97df497ffb62eae1c332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
10e003f941ed7191af5c37e0fd3b1196

SHA1
f702017d75f384f373a518ed64825f0d3fa6b20e

SHA256
64fc5f4f98ed04392a738bc1249c68c013e25d8ca51ce40abb1fb3d67704ca7e

SHA512
f72f46d88059dea796755f40de41b00bb0e1a631a14d83024604e73d7e289a3989f8227f6120895eb3376e34818766dd717117f82a56b3cc554573a6cf543722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c64036adcba861b101854e80ed837cb2

SHA1
5563dc0139568fc41d327fc7cc71637071573e7c

SHA256
4d99becc797b64f2c71fe4dc58dbfea0eaf79ad5edc7998ba71b4c7f1f525bb6

SHA512
79038ea10e9ab03f338f190212ba3cf6f07ea2a4fa80328ba00ff27e8d37c8958677481fc9278fb5c7aa79353c75837bc675bcfd05b8ebe15a53e6e13b821adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f20cd1805f2149df73f8ecf79a2b69b3

SHA1
2735d86541d5a86e7f02fb3edcc63d40d57770e8

SHA256
10490a101413fab072813f1a5fb153818da0563b4c60bb208e04468fb69ec73e

SHA512
c10b558149fe8c8d1793d9cdb731908cc4218df936ed32dd081c423d90f3c98ba0afe973222127034109359c6b37412342efbb0f9fce66efa3aff4ff383bcd16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cc6c351ff44b062643815650da3bb58c

SHA1
37c6922263185106c7c47ae541f2c397ef5a41c2

SHA256
774824854c8f28c0aa1a2aee55aa59a3ecf41033518e02c7fe21815ec474f01a

SHA512
e84a7f35c1f2e148bd6df3940ea75bb5690d461c3655d29e1646d50ea76563815dcc96e4d03cb3e56124defdfbdf60d6b976e6d019b00846a321d58bd7e789d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f41fc869db7dc40898484a3debf03f01

SHA1
d02994451e3f0584fd41291f3a73eecef77f1fb8

SHA256
da1ff0bdbccf69d944a242dad37f076488acfc215449e0d31a3c204d44dd9e13

SHA512
fbe06b139e8d09f294ee3a95277f5ae00b8e4f38452df4fabb128f8343f197e6d3a8cc6cfc799f0e8b6d0873553d4b40e2520dfb99b45126887bd0bff8746bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe

Filesize
658KB

MD5
5ee6354b3c1462ad70379b6bc5373c99

SHA1
a9500d5d2e0ff9c944f75b447f7856c3ff52ebe7

SHA256
42790e47e89a95aeb2572e5cde3d514904723f7302a85482f0585af2e44b87fd

SHA512
3440ac0799fc126b59d45b59e169de9850cd4118a743decb9482c203bb355fc0a168ace04db81fbd9280f182d6195cc4e0a968fca4e393088b8665ac2ba7012f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe

Filesize
895KB

MD5
957d1f106e91dd0a9b8bcb064e28b9f0

SHA1
c97b295a70dc91ce5b4399515dd450c204df8cfe

SHA256
11b56e8e786712544f92de2b111c900a8958b9cf7c4396042f98ef8c5d5cc1dd

SHA512
ddc85a3ca56af2a3d00070603e9b275ca5e737a4b8dd16a27d1f93fa784e580428fe175344eee30d8ec3130e926f0cad8276a1cb37326f075d9bb02dffefd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe

Filesize
283KB

MD5
092ff5d48932a2b39b994e46f64cf5bb

SHA1
14520bf10c161c1a6fa1d945b6f5d1c30a9e3350

SHA256
7549e016a671f1ba803d8748e410016016d216ee9c06436276cfe1a1711bc86f

SHA512
e6147fa0987455bef361b02e5dbc78eca22f3bd50888e7e149f65da9b21be777f1b2f26428e49c8709b70476202c0d714fe4329d1ed673707a77e0429b67f990

Download Submit
memory/6708-918-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6708-921-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6708-919-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download