djvu | e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	setup.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5768	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000600000002330d-413.dat	themida
behavioral6/files/0x000600000002330d-660.dat	themida
behavioral6/memory/4068-976-0x00000000009D0000-0x0000000000FE2000-memory.dmp	themida

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	193.233.132.49
Destination IP	193.233.132.49
Destination IP	193.233.132.49
Destination IP	193.233.132.49
Destination IP	193.233.132.49
Destination IP	193.233.132.49

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
185	iplogger.org
186	iplogger.org
247	iplogger.org

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
199	ipinfo.io
274	ipinfo.io
426	ipinfo.io
35	ipinfo.io
36	ipinfo.io
192	api.2ip.ua
200	ipinfo.io
263	ipinfo.io
34	api.myip.com
196	api.myip.com
266	ipinfo.io
422	ipinfo.io
431	ipinfo.io
33	api.myip.com
191	api.2ip.ua
463	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x001b0000000233b4-1455.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2136	setup.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3076	5752	WerFault.exe	99
3684	2132	WerFault.exe	141
4224	6116	WerFault.exe	134
416	5736	WerFault.exe	101

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4828	schtasks.exe
5228	schtasks.exe
5004	schtasks.exe
1124	schtasks.exe
5896	schtasks.exe
5892	schtasks.exe
1708	schtasks.exe
1028	schtasks.exe
4440	schtasks.exe
5456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	setup.exe
2136	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2136
- C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe
  "C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe"
  2⤵
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\7zSCBD.tmp\Install.exe
    .\Install.exe
    3⤵
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\7zS23CF.tmp\Install.exe
      .\Install.exe /MFFdidt "525403" /S
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:4652
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:4080
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:4364
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:5708
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:5652
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:2052
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:5504
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:5568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gloyEKczR" /SC once /ST 10:59:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:5004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gloyEKczR"
        5⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gloyEKczR"
        5⤵
        
        PID:9052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bokvhhUgtHQNbUrNPU" /SC once /ST 17:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\FwvfrvJ.exe\" r1 /PXsite_idcxh 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:4828
- C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe
  "C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe"
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5848
- - C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe
    "C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe"
    3⤵
    PID:5632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2556
- C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe
  "C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe"
  2⤵
  PID:5772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2336
- - C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe
    "C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe"
    3⤵
    PID:6956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5956
- C:\Users\Admin\Documents\GuardFox\fVLq49qtba3ytPK4Nw9io13j.exe
  "C:\Users\Admin\Documents\GuardFox\fVLq49qtba3ytPK4Nw9io13j.exe"
  2⤵
  PID:5752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 344
    3⤵
    - Program crash
    PID:3076
- C:\Users\Admin\Documents\GuardFox\Mi6AWN9vXRBRMcYeS_3_zVDQ.exe
  "C:\Users\Admin\Documents\GuardFox\Mi6AWN9vXRBRMcYeS_3_zVDQ.exe"
  2⤵
  PID:5744
- C:\Users\Admin\Documents\GuardFox\pPrCgUdP2JClGnpyLmHJPscG.exe
  "C:\Users\Admin\Documents\GuardFox\pPrCgUdP2JClGnpyLmHJPscG.exe"
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 2368
    3⤵
    - Program crash
    PID:416
- C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe
  "C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe"
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5456
- - C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\2g1j7SGm0vjI4nkHAuJW.exe
    "C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\2g1j7SGm0vjI4nkHAuJW.exe"
    3⤵
    PID:3396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:3020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:4460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
        5⤵
        
        PID:4160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
        5⤵
        
        PID:2748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:1176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
        5⤵
        
        PID:6368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
        5⤵
        
        PID:6344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        5⤵
        
        PID:6744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
        5⤵
        
        PID:4652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
        5⤵
        
        PID:6884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        5⤵
        
        PID:6948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
        5⤵
        
        PID:6184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        5⤵
        
        PID:7152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
        5⤵
        
        PID:6376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
      4⤵
      PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:4044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10262843961557492095,15357762294570849128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        
        PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      PID:5568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,2525749010093275192,12174032622444560376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
        5⤵
        
        PID:6848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:1840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
      4⤵
      PID:2496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
      4⤵
      PID:3664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
        5⤵
        
        PID:5712
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
      4⤵
      PID:3188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778
        5⤵
        
        PID:2188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2024,i,5557749574225615445,7883934478427062869,131072 /prefetch:8
        5⤵
        
        PID:8644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2024,i,5557749574225615445,7883934478427062869,131072 /prefetch:2
        5⤵
        
        PID:8636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      PID:3816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778
        5⤵
        
        PID:5932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:8
        5⤵
        
        PID:8108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:8
        5⤵
        
        PID:8076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:2
        5⤵
        
        PID:8068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:7484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4060 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:8480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2992 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:8652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5040 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:9148
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3624 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:8944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4528 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:8584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:8004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4488 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1
        5⤵
        
        PID:6168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:6356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      4⤵
      PID:6020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=2004,i,2302472976579425981,17844444468222244877,131072 /prefetch:2
        5⤵
        
        PID:9012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=2004,i,2302472976579425981,17844444468222244877,131072 /prefetch:8
        5⤵
        
        PID:9136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      PID:6940
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
        5⤵
        
        PID:7128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      4⤵
      PID:7160
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        5⤵
        
        PID:3952
- - C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\hGnIVTJbniiugaulndqv.exe
    "C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\hGnIVTJbniiugaulndqv.exe"
    3⤵
    PID:5872
- - C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\GCWEHT8K4v5SdsJZFtFi.exe
    "C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\GCWEHT8K4v5SdsJZFtFi.exe"
    3⤵
    PID:8304
- - C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\V1FkYflsSuINyVwTTmob.exe
    "C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\V1FkYflsSuINyVwTTmob.exe"
    3⤵
    PID:8516
- C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe
  "C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe"
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp" /SL5="$20272,4460890,54272,C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe"
    3⤵
    PID:4676
- C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe
  "C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe"
  2⤵
  PID:6140
- - C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe
    "C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe"
    3⤵
    PID:4344
  - - C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe
      "C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:5976
    - - C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe
        
        "C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:2132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 568
        6⤵
        Program crash
        
        PID:3684
- C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe
  "C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe"
  2⤵
  PID:4068
- C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe
  "C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe"
  2⤵
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\WW9_64.exe
    "C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe"
    3⤵
    PID:4316
- C:\Users\Admin\Documents\GuardFox\6mW5b4qOjpVvTGG_x07s4stc.exe
  "C:\Users\Admin\Documents\GuardFox\6mW5b4qOjpVvTGG_x07s4stc.exe"
  2⤵
  PID:1288
- C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe
  "C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe"
  2⤵
  PID:1448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:4208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      PID:2284
- C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe
  "C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe"
  2⤵
  PID:4376
- C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe
  "C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe"
  2⤵
  PID:2808
- C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe
  "C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe"
  2⤵
  PID:6132
- C:\Users\Admin\Documents\GuardFox\gA119GY6BxzJ20qiar2SBob6.exe
  "C:\Users\Admin\Documents\GuardFox\gA119GY6BxzJ20qiar2SBob6.exe"
  2⤵
  PID:6116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 2244
    3⤵
    - Program crash
    PID:4224
- C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe
  "C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe"
  2⤵
  PID:6108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:5584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:8
      4⤵
      PID:5524
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:8
      4⤵
      PID:5368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1
      4⤵
      PID:552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1
      4⤵
      PID:5448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:2
      4⤵
      PID:3680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1
      4⤵
      PID:564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5752 -ip 5752
1⤵
PID:6004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:5480
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5892
- C:\Users\Admin\AppData\Local\Temp\heidi6DbP_N64XGcl\Gt_q28K1Pij1MddE1Ptw.exe
  "C:\Users\Admin\AppData\Local\Temp\heidi6DbP_N64XGcl\Gt_q28K1Pij1MddE1Ptw.exe"
  2⤵
  PID:7596
- - C:\Users\Admin\AppData\Local\Temp\heidiZzOs_nAUVEVs\tgDCkeEhpafr5oQRSOwS.exe
    "C:\Users\Admin\AppData\Local\Temp\heidiZzOs_nAUVEVs\tgDCkeEhpafr5oQRSOwS.exe"
    3⤵
    PID:6272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
1⤵
PID:2348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\22158657-fbde-415a-bad4-5bee4646aa0b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
- Modifies file permissions
PID:5768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:5212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1028

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -s
1⤵
PID:5268

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -i
1⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc74599758,0x7ffc74599768,0x7ffc74599778
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2132 -ip 2132
1⤵
PID:3012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6116 -ip 6116
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5736 -ip 5736
1⤵
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\F0B4.exe
C:\Users\Admin\AppData\Local\Temp\F0B4.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\F0B4.exe
  C:\Users\Admin\AppData\Local\Temp\F0B4.exe
  2⤵
  PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718
1⤵
PID:5444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
1⤵
PID:6516
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.0.362609268\2099137141" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e4828f-f9bb-4a81-8eb7-010578d8f589} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 1960 1b8b79eb758 gpu
  2⤵
  PID:7324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.1.1762859660\896436887" -parentBuildID 20221007134813 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cde6dca-4aa1-4228-b1f3-192c8fc69211} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 2452 1b8b7140b58 socket
  2⤵
  PID:7604
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.2.1389827356\513907467" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 1324 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d50720fd-0bff-4811-a940-289057a83064} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 2964 1b8bb5ead58 tab
  2⤵
  PID:8132
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.3.571719448\226535996" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc0a1d06-a136-4fff-b8c3-c9b93cb0c836} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 3552 1b8aad61958 tab
  2⤵
  PID:7424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.5.100219316\362446075" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc981a1e-d3d0-42d0-aefc-68d5a07a27b4} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5012 1b8bdbbc758 tab
  2⤵
  PID:8984
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.4.134982506\89800635" -childID 3 -isForBrowser -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23bcb338-f14e-4c48-94b9-94b81ed53430} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 4868 1b8aad66858 tab
  2⤵
  PID:8824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.8.548551733\852648684" -childID 7 -isForBrowser -prefsHandle 5280 -prefMapHandle 5504 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3f0be8-1d6b-42f1-a229-8bf7ccaabd4b} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5508 1b8be35f458 tab
  2⤵
  PID:2876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.7.11885308\1485962313" -childID 6 -isForBrowser -prefsHandle 2884 -prefMapHandle 3384 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2693e2-3ea0-431c-9a9a-23343d9971dc} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5280 1b8be360f58 tab
  2⤵
  PID:6120
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.6.1702852335\1337804002" -childID 5 -isForBrowser -prefsHandle 4668 -prefMapHandle 5272 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {342d548a-ad4b-4791-9a34-c178dcae7059} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 3436 1b8be35f158 tab
  2⤵
  PID:7752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778
1⤵
PID:6200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\FF5.exe
C:\Users\Admin\AppData\Local\Temp\FF5.exe
1⤵
PID:8008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:8388

C:\Users\Admin\AppData\Local\Temp\3EA7.exe
C:\Users\Admin\AppData\Local\Temp\3EA7.exe
1⤵
PID:6340
- C:\Users\Admin\AppData\Local\Temp\is-D1NJE.tmp\3EA7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D1NJE.tmp\3EA7.tmp" /SL5="$50372,4061719,54272,C:\Users\Admin\AppData\Local\Temp\3EA7.exe"
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
    "C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -i
    3⤵
    PID:8572
- - C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
    "C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -s
    3⤵
    PID:4100

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\489B.dll
1⤵
PID:1852
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\489B.dll
  2⤵
  PID:1380

C:\Users\Admin\AppData\Local\Temp\7B06.exe
C:\Users\Admin\AppData\Local\Temp\7B06.exe
1⤵
PID:8884
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
  2⤵
  PID:8688
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:7424
- C:\Users\Admin\AppData\Local\Temp\FourthX.exe
  "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
  2⤵
  PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery