phemedrone | 97b5b7b3b23a2b928001416adc5d0f296c7250347c4785b5f9761cada5d3abf0

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe

Executes dropped EXE 5 IoCs

pid	Process
6864	M5Y601P1.exe
7008	BHOAMULW.exe
7108	ZU5L81V2.exe
6252	UX6FN73N.exe
6728	BDHRM6SW.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Wine	52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6252-2502-0x0000000000F00000-0x000000000168A000-memory.dmp	upx
behavioral1/files/0x0006000000023478-2487.dat	upx
behavioral1/files/0x0006000000023478-2486.dat	upx
behavioral1/files/0x0006000000023478-2473.dat	upx
behavioral1/memory/6252-2615-0x0000000000F00000-0x000000000168A000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
375	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
312	52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
6856	4872	WerFault.exe
6936	7108	WerFault.exe	190
4052	6252	WerFault.exe	191
2296	6252	WerFault.exe	191
7364	312	WerFault.exe	181

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133444750799409325"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-984744499-3605095035-265325720-1000\{AEFD6D81-F79D-462C-B3F4-F08163DA8F82}	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2844	msedge.exe
2844	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
1200	chrome.exe
1200	chrome.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
6016	chrome.exe
6016	chrome.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4160	a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
4180	58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
1716	6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
7108	ZU5L81V2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4128	2844	msedge.exe	119
PID 2844 wrote to memory of 4128	2844	msedge.exe	119
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 4048	2844	msedge.exe	120
PID 2844 wrote to memory of 2440	2844	msedge.exe	121
PID 2844 wrote to memory of 2440	2844	msedge.exe	121
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122
PID 2844 wrote to memory of 1892	2844	msedge.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\PhemedroneStealer.zip
1⤵
PID:4128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8459d46f8,0x7ff8459d4708,0x7ff8459d4718
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,18187660949532233730,2517031948084508545,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5656 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff846b29758,0x7ff846b29768,0x7ff846b29778
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:2
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5404
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff65fbc7688,0x7ff65fbc7698,0x7ff65fbc76a8
    3⤵
    PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5248 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4828 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4048 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5660 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:8
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2720 --field-trial-handle=1928,i,2955735749238578516,14610005958725662533,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5332
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.0.1140064061\374143599" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea735315-b41b-4d13-b90a-cc07b9c4101c} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 1996 195750ca158 gpu
    3⤵
    PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.1.1310493308\293012447" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07565810-d4fa-442f-b086-db33b682865c} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 2380 19568872b58 socket
    3⤵
    PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.2.1740822591\494189648" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 2936 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f083330a-7e5a-4239-b8ca-61171c0ba18d} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 2912 195793b5c58 tab
    3⤵
    PID:6032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.3.1496556378\2281395" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fba3692c-c85e-4416-be91-293fd42eb86e} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3620 19568867e58 tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.4.1787103823\1278394845" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87cfa576-b90c-4d2f-997a-755b92628084} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 4160 1957a4fdf58 tab
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.5.41242178\510869949" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5112 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76dc0e15-261f-4187-8157-ff1a7189bea3} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5132 1957a863158 tab
    3⤵
    PID:3688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.7.1357686617\1892502168" -childID 6 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d2a1327-d4fe-4a17-ad27-955f3e743df4} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5452 1957b755458 tab
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.6.517266707\459294129" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ffd0c80-84d6-48a9-8258-845d1f1d2f9c} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5260 1957b756958 tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.9.658981869\682289588" -childID 8 -isForBrowser -prefsHandle 6100 -prefMapHandle 6104 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c5cf962-2b90-48ff-940e-e7937d0555f5} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 6088 1957ce78958 tab
    3⤵
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.8.2074200880\2006553082" -childID 7 -isForBrowser -prefsHandle 5332 -prefMapHandle 5492 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {553c0be6-67be-450d-b6fb-3b6cba9ce50a} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5696 1957ce78058 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.10.832111437\1656500961" -parentBuildID 20221007134813 -prefsHandle 2820 -prefMapHandle 1436 -prefsLen 26789 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4738af86-52af-43be-a70b-984ab45f724c} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 6308 195750c2a58 rdd
    3⤵
    PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.11.783395400\1377215865" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5688 -prefMapHandle 5252 -prefsLen 27133 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d8ef146-418c-4061-ac93-20c7fa8c5bf0} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 4396 1957dd14758 utility
    3⤵
    PID:5968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.12.397957331\960937560" -childID 9 -isForBrowser -prefsHandle 6124 -prefMapHandle 6128 -prefsLen 27269 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf3ece6-2e09-4a3c-9f58-11534eb8920d} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5332 1957b755a58 tab
    3⤵
    PID:7192

C:\Users\Admin\Desktop\9aa89ac25459a7910489f306a1ad36af2c0ebe66a1eed7f749d53a8162b157b4.exe
"C:\Users\Admin\Desktop\9aa89ac25459a7910489f306a1ad36af2c0ebe66a1eed7f749d53a8162b157b4.exe"
1⤵
PID:5064

C:\Users\Admin\Desktop\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe
"C:\Users\Admin\Desktop\58b525579968cba0c68e8f7ae12e51e0b5542acc2c14a2e75fa6df44556e373f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Users\Admin\Desktop\52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe
"C:\Users\Admin\Desktop\52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 2328
  2⤵
  - Program crash
  PID:7364

C:\Users\Admin\Desktop\2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531.exe
"C:\Users\Admin\Desktop\2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531.exe"
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4872 -ip 4872
1⤵
PID:6724

C:\Users\Admin\AppData\Local\Temp\Low\M5Y601P1.exe
"C:\Users\Admin\AppData\Local\Temp\Low\M5Y601P1.exe"
1⤵
- Executes dropped EXE
PID:6864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 924
1⤵
- Program crash
PID:6856

C:\Users\Admin\AppData\Local\Temp\Low\BHOAMULW.exe
"C:\Users\Admin\AppData\Local\Temp\Low\BHOAMULW.exe"
1⤵
- Executes dropped EXE
PID:7008

C:\ProgramData\WindowsHolographicDevices\ZU5L81V2.exe
"C:\ProgramData\WindowsHolographicDevices\ZU5L81V2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1000
  2⤵
  - Program crash
  PID:6936

C:\Users\Admin\AppData\Roaming\Adobe\UX6FN73N.exe
"C:\Users\Admin\AppData\Roaming\Adobe\UX6FN73N.exe"
1⤵
- Executes dropped EXE
PID:6252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 2396
  2⤵
  - Program crash
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 2420
  2⤵
  - Program crash
  PID:2296

C:\ProgramData\ssh\BDHRM6SW.exe
"C:\ProgramData\ssh\BDHRM6SW.exe"
1⤵
- Executes dropped EXE
PID:6728

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\MQP79NH7.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\MQP79NH7.exe"
1⤵
PID:7124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7108 -ip 7108
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6252 -ip 6252
1⤵
PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6252 -ip 6252
1⤵
PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5824

C:\Users\Admin\Desktop\6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe
"C:\Users\Admin\Desktop\6bccfdbe392cf2eef8a337fbb8af90a662773d8cd73cec1ac1e0f51686840215.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Users\Admin\Desktop\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe
"C:\Users\Admin\Desktop\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe"
1⤵
PID:2352

C:\Users\Admin\Desktop\c93d28e89af52917c466181f07f704b19501d876b43788af4e89ea5e3e9bc433.exe
"C:\Users\Admin\Desktop\c93d28e89af52917c466181f07f704b19501d876b43788af4e89ea5e3e9bc433.exe"
1⤵
PID:4872

C:\Users\Admin\Desktop\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe
"C:\Users\Admin\Desktop\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe"
1⤵
PID:5176

C:\Users\Admin\Desktop\a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe
"C:\Users\Admin\Desktop\a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Users\Admin\Desktop\255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c.exe
"C:\Users\Admin\Desktop\255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c.exe"
1⤵
PID:5336

C:\Users\Admin\Desktop\59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200.exe
"C:\Users\Admin\Desktop\59c71b235595f91647ec9cb99c0b1ccaf2f00d444383a2d0e646f05a989f8200.exe"
1⤵
PID:4336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 312 -ip 312
1⤵
PID:7528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7884

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion