risepro | 5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	sqls977.exe
2660	drivEn977.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral16/files/0x000a000000012251-19.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{950BD0F1-D1FE-11EE-A7F1-FA5112F1BCBF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000a82d0516d42d41fafdf2cbc951581159eb3a543f7e765370b5c892c8c15f7a22000000000e8000000002000020000000b568cc322b0c2585be9a114912c980ef4766e812fbca6ede0da626592fa1d1b42000000008f5e8b49a330123074620f48d5e7ce8ad19e9211568ded0f8ab9b15f3d7f80e40000000992e371190735ceaa86079b72f1a78cea505d23de5f9a48050cba30750421d8e125726921fb3edd0f205b184332c0c0719db79de2be137fb59053e08e012c795	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95155671-D1FE-11EE-A7F1-FA5112F1BCBF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2085e36a0b66da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
660	chrome.exe
660	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeDebugPrivilege	2064	firefox.exe
Token: SeDebugPrivilege	2064	firefox.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2868	sqls977.exe
2868	sqls977.exe
2848	iexplore.exe
2868	sqls977.exe
2608	iexplore.exe
2824	iexplore.exe
2440	iexplore.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
2868	sqls977.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
2868	sqls977.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
2868	sqls977.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2440	iexplore.exe
2440	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2848	iexplore.exe
2848	iexplore.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2868	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	28
PID 2352 wrote to memory of 2868	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	28
PID 2352 wrote to memory of 2868	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	28
PID 2352 wrote to memory of 2868	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	28
PID 2352 wrote to memory of 2660	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	29
PID 2352 wrote to memory of 2660	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	29
PID 2352 wrote to memory of 2660	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	29
PID 2352 wrote to memory of 2660	2352	e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe	29
PID 2868 wrote to memory of 2848	2868	sqls977.exe	31
PID 2868 wrote to memory of 2848	2868	sqls977.exe	31
PID 2868 wrote to memory of 2848	2868	sqls977.exe	31
PID 2868 wrote to memory of 2848	2868	sqls977.exe	31
PID 2868 wrote to memory of 2824	2868	sqls977.exe	30
PID 2868 wrote to memory of 2824	2868	sqls977.exe	30
PID 2868 wrote to memory of 2824	2868	sqls977.exe	30
PID 2868 wrote to memory of 2824	2868	sqls977.exe	30
PID 2868 wrote to memory of 2608	2868	sqls977.exe	32
PID 2868 wrote to memory of 2608	2868	sqls977.exe	32
PID 2868 wrote to memory of 2608	2868	sqls977.exe	32
PID 2868 wrote to memory of 2608	2868	sqls977.exe	32
PID 2868 wrote to memory of 2440	2868	sqls977.exe	33
PID 2868 wrote to memory of 2440	2868	sqls977.exe	33
PID 2868 wrote to memory of 2440	2868	sqls977.exe	33
PID 2868 wrote to memory of 2440	2868	sqls977.exe	33
PID 2440 wrote to memory of 1444	2440	iexplore.exe	36
PID 2440 wrote to memory of 1444	2440	iexplore.exe	36
PID 2440 wrote to memory of 1444	2440	iexplore.exe	36
PID 2440 wrote to memory of 1444	2440	iexplore.exe	36
PID 2608 wrote to memory of 2332	2608	iexplore.exe	37
PID 2608 wrote to memory of 2332	2608	iexplore.exe	37
PID 2608 wrote to memory of 2332	2608	iexplore.exe	37
PID 2608 wrote to memory of 2332	2608	iexplore.exe	37
PID 2824 wrote to memory of 2812	2824	iexplore.exe	34
PID 2824 wrote to memory of 2812	2824	iexplore.exe	34
PID 2824 wrote to memory of 2812	2824	iexplore.exe	34
PID 2824 wrote to memory of 2812	2824	iexplore.exe	34
PID 2848 wrote to memory of 1632	2848	iexplore.exe	35
PID 2848 wrote to memory of 1632	2848	iexplore.exe	35
PID 2848 wrote to memory of 1632	2848	iexplore.exe	35
PID 2848 wrote to memory of 1632	2848	iexplore.exe	35
PID 2868 wrote to memory of 660	2868	sqls977.exe	39
PID 2868 wrote to memory of 660	2868	sqls977.exe	39
PID 2868 wrote to memory of 660	2868	sqls977.exe	39
PID 2868 wrote to memory of 660	2868	sqls977.exe	39
PID 2868 wrote to memory of 772	2868	sqls977.exe	40
PID 2868 wrote to memory of 772	2868	sqls977.exe	40
PID 2868 wrote to memory of 772	2868	sqls977.exe	40
PID 2868 wrote to memory of 772	2868	sqls977.exe	40
PID 660 wrote to memory of 2748	660	chrome.exe	43
PID 660 wrote to memory of 2748	660	chrome.exe	43
PID 660 wrote to memory of 2748	660	chrome.exe	43
PID 2868 wrote to memory of 1224	2868	sqls977.exe	42
PID 2868 wrote to memory of 1224	2868	sqls977.exe	42
PID 2868 wrote to memory of 1224	2868	sqls977.exe	42
PID 2868 wrote to memory of 1224	2868	sqls977.exe	42
PID 772 wrote to memory of 576	772	chrome.exe	41
PID 772 wrote to memory of 576	772	chrome.exe	41
PID 772 wrote to memory of 576	772	chrome.exe	41
PID 2868 wrote to memory of 1748	2868	sqls977.exe	44
PID 2868 wrote to memory of 1748	2868	sqls977.exe	44
PID 2868 wrote to memory of 1748	2868	sqls977.exe	44
PID 2868 wrote to memory of 1748	2868	sqls977.exe	44
PID 1224 wrote to memory of 2412	1224	chrome.exe	45
PID 1224 wrote to memory of 2412	1224	chrome.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
"C:\Users\Admin\AppData\Local\Temp\e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\sqls977.exe
  "C:\Users\Admin\AppData\Local\Temp\sqls977.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1632
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2332
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6039758,0x7fef6039768,0x7fef6039778
      4⤵
      PID:2748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1056 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:2
      4⤵
      PID:2244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1500 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:8
      4⤵
      PID:2548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:8
      4⤵
      PID:1556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2468 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:1
      4⤵
      PID:3336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2424 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:1
      4⤵
      PID:3316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2116 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:1
      4⤵
      PID:3268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:1
      4⤵
      PID:3208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1376 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:2
      4⤵
      PID:2564
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3284 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:1
      4⤵
      PID:4788
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3884 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:8
      4⤵
      PID:5468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4064 --field-trial-handle=1264,i,1313807686652596712,15288917953948224244,131072 /prefetch:8
      4⤵
      PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    3⤵
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6039758,0x7fef6039768,0x7fef6039778
      4⤵
      PID:576
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1376,i,11640077764173111261,16888121724587340750,131072 /prefetch:2
      4⤵
      PID:1552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1376,i,11640077764173111261,16888121724587340750,131072 /prefetch:8
      4⤵
      PID:3144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3⤵
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6039758,0x7fef6039768,0x7fef6039778
      4⤵
      PID:2412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1296,i,6076155569437659328,3950278988027744029,131072 /prefetch:2
      4⤵
      PID:2636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1296,i,6076155569437659328,3950278988027744029,131072 /prefetch:8
      4⤵
      PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3⤵
    PID:1748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2064
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.0.1508656876\986215151" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1084 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3440e15a-33b1-4e55-8d9f-3da685818f23} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 1320 c1d9858 gpu
        5⤵
        
        PID:3680
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.1.2037958977\175933491" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68dc8fc2-00bc-4367-a502-32a335549c2f} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 1580 ad3c458 socket
        5⤵
        
        PID:3828
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.2.2047631756\455357214" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cce03b3-6412-498f-a9a9-f490d68bb97e} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 2076 c167158 tab
        5⤵
        
        PID:3952
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.3.1703973949\990351628" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9148499-b372-4668-a99a-e2b2589d464c} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 2896 e2ed58 tab
        5⤵
        
        PID:3464
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.6.905931696\615962292" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {717e5eef-db1f-42ae-8262-729c58257336} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3924 1f568058 tab
        5⤵
        
        PID:3792
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.5.1993197522\874622430" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3768 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c9a4222-bbdb-4ed0-8d6d-e1a96e39625e} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3756 1f639558 tab
        5⤵
        
        PID:3824
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.4.500757078\837961517" -childID 3 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1145cf70-3c70-4999-a866-6032b00afa1e} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3624 1f569258 tab
        5⤵
        
        PID:3820
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.7.54206741\966233343" -parentBuildID 20221007134813 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6853c9a-b69d-4ffc-b6bb-09d0bc326af7} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 4240 1f7de558 rdd
        5⤵
        
        PID:4104
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.8.1866155491\922721170" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4348 -prefMapHandle 4344 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {074c8a5a-b4ab-4739-99b1-0055172542f7} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 4360 1fb11c58 utility
        5⤵
        
        PID:4184
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.9.1944960646\307602592" -childID 6 -isForBrowser -prefsHandle 4528 -prefMapHandle 4524 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76ce6979-17ff-48a3-9e20-309cd9933802} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 4540 20666d58 tab
        5⤵
        
        PID:4400
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.10.1100614258\2134389410" -childID 7 -isForBrowser -prefsHandle 4760 -prefMapHandle 4960 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59af2cad-70a3-45e9-bf79-9ccfb2ee28aa} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 4980 20fac858 tab
        5⤵
        
        PID:2100
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.12.1910106717\874275635" -childID 9 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecc751b4-2d74-48c2-8049-cef802e6a2a9} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 5020 20faa758 tab
        5⤵
        
        PID:4616
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.11.806069368\1533903428" -childID 8 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de474d47-6a6b-499c-a0ff-b197c2e8000c} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 4876 20fab058 tab
        5⤵
        Checks processor information in registry
        
        PID:884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3⤵
    PID:1516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      Checks processor information in registry
      PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3⤵
    PID:884
- C:\Users\Admin\AppData\Local\Temp\drivEn977.exe
  "C:\Users\Admin\AppData\Local\Temp\drivEn977.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion