orcus | hxxps://github[.]com/BlitzedOfficial/BlitzedGrabberX96NEON

System Information Discovery

Processes:

BlitzedGrabberX96 Installer.exechromedriver.exechromedriver.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	BlitzedGrabberX96 Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	chromedriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	chromedriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 22 IoCs

Processes:

7z2301-x64.exe7zG.exeBlitzedGrabberX96 Installer.exeBlitzedGrabberX96 Install.exeUnityCrashHandler.EXEchromedriver.exeWindowsInput.exeWindowsInput.exeKyanite.exechromedriver.exechromedriver.exesvchost.exesvchost.exechromedriver.exedotNetFx35setup.exedotNetFx35setup.exedotNetFx35setup.exedotNetFx35setup.exedotNetFx35setup.exedotNetFx35setup.exechromedriver.exechromedriver.exe

pid	process
2260	7z2301-x64.exe
2328	7zG.exe
6036	BlitzedGrabberX96 Installer.exe
3556	BlitzedGrabberX96 Install.exe
2984	UnityCrashHandler.EXE
2320	chromedriver.exe
3344	WindowsInput.exe
2292	WindowsInput.exe
4476	Kyanite.exe
5240	chromedriver.exe
2540	chromedriver.exe
1472	svchost.exe
2624	svchost.exe
116	chromedriver.exe
1936	dotNetFx35setup.exe
1812	dotNetFx35setup.exe
4936	dotNetFx35setup.exe
5124	dotNetFx35setup.exe
1972	dotNetFx35setup.exe
3540	dotNetFx35setup.exe
5328	chromedriver.exe
5036	chromedriver.exe

Loads dropped DLL 25 IoCs

Processes:

7zG.exeBlitzedGrabberX96 Install.exeKyanite.exe

pid	process
3508
2328	7zG.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
4476	Kyanite.exe
3508

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Program Files\BlitzedGrabberX96\Guna.UI2.dll	agile_net
behavioral1/memory/4476-826-0x0000000006250000-0x0000000006442000-memory.dmp	agile_net

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

7z2301-x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

UnityCrashHandler.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandler.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

chromedriver.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

118 raw.githubusercontent.com
119 raw.githubusercontent.com
157 discord.com
158 discord.com
160 discord.com
161 discord.com

flow	ioc
118	raw.githubusercontent.com
119	raw.githubusercontent.com
157	discord.com
158	discord.com
160	discord.com
161	discord.com

Drops file in System32 directory 3 IoCs

Processes:

chromedriver.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2301-x64.exeBlitzedGrabberX96 Install.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2301-x64.exe
File created	C:\Program Files\BlitzedGrabberX96\Kyanite.exe	BlitzedGrabberX96 Install.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2301-x64.exe
File created	C:\Program Files\BlitzedGrabberX96\APIFOR.DLL	BlitzedGrabberX96 Install.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2301-x64.exe
File created	C:\Program Files\BlitzedGrabberX96\Login Theme.dll	BlitzedGrabberX96 Install.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2301-x64.exe
File created	C:\Program Files\BlitzedGrabberX96\Guna.UI.dll	BlitzedGrabberX96 Install.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2301-x64.exe
File created	C:\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll	BlitzedGrabberX96 Install.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2301-x64.exe

Drops file in Windows directory 3 IoCs

Processes:

chromedriver.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	chromedriver.exe
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1808 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1808	powershell.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595134517857936"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 22 IoCs

Processes:

7z2301-x64.exefirefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe

NTFS ADS 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\dotNetFx35setup.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 954318.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exesvchost.exechromedriver.exe

pid	process
2600	msedge.exe
2600	msedge.exe
3700	msedge.exe
3700	msedge.exe
4092	identity_helper.exe
4092	identity_helper.exe
4484	msedge.exe
4484	msedge.exe
6080	msedge.exe
6080	msedge.exe
1808	powershell.exe
1808	powershell.exe
2624	svchost.exe
2624	svchost.exe
5240	chromedriver.exe
5240	chromedriver.exe
2624	svchost.exe
2624	svchost.exe
5240	chromedriver.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe
2624	svchost.exe
5240	chromedriver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chromedriver.exe

pid process

5240 chromedriver.exe

pid	process
5240	chromedriver.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exechrome.exe

pid	process
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

7zG.exepowershell.exeKyanite.exechromedriver.exesvchost.exesvchost.exechrome.exefirefox.exefirefox.exe

description	pid	process
Token: SeRestorePrivilege	2328	7zG.exe
Token: 35	2328	7zG.exe
Token: SeSecurityPrivilege	2328	7zG.exe
Token: SeSecurityPrivilege	2328	7zG.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	4476	Kyanite.exe
Token: SeDebugPrivilege	5240	chromedriver.exe
Token: SeDebugPrivilege	1472	svchost.exe
Token: SeDebugPrivilege	2624	svchost.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeDebugPrivilege	1808	firefox.exe
Token: SeDebugPrivilege	1808	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exechrome.exe

pid	process
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
2328	7zG.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exefirefox.exe

pid	process
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

7z2301-x64.exeBlitzedGrabberX96 Install.exeKyanite.exechromedriver.exefirefox.exefirefox.exe

pid	process
2260	7z2301-x64.exe
3556	BlitzedGrabberX96 Install.exe
3556	BlitzedGrabberX96 Install.exe
4476	Kyanite.exe
4476	Kyanite.exe
5240	chromedriver.exe
1808	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3700 wrote to memory of 1544	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 1544	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 3280	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2600	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2600	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe
PID 3700 wrote to memory of 2804	3700	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/BlitzedOfficial/BlitzedGrabberX96NEON
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa67c946f8,0x7ffa67c94708,0x7ffa67c94718
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
2⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
2⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,6590866919591889367,1671860042301954309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6080

C:\Users\Admin\Downloads\7z2301-x64.exe
"C:\Users\Admin\Downloads\7z2301-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BlitzedGrabberX96\" -spe -an -ai#7zMap10949:96:7zEvent31759
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5840

C:\Users\Admin\Downloads\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe
"C:\Users\Admin\Downloads\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6036

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File poo.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
PID:2320

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixyvcef2.cmdline"
3⤵
PID:624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC42.tmp"
4⤵
PID:5484

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3344

C:\ProgramData\Chrome\Plugins\chromedriver.exe
"C:\ProgramData\Chrome\Plugins\chromedriver.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5240

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 5240 /protectFile
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 5240 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Program Files\BlitzedGrabberX96\Kyanite.exe
"C:\Program Files\BlitzedGrabberX96\Kyanite.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ceqeuzcp\ceqeuzcp.cmdline"
2⤵
PID:5504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2gpvgfii\2gpvgfii.cmdline"
2⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtxvv5cu\dtxvv5cu.cmdline"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmqor5fq\wmqor5fq.cmdline"
2⤵
PID:3244

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ffa5886cc40,0x7ffa5886cc4c,0x7ffa5886cc58
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2204 /prefetch:3
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2220 /prefetch:8
2⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3364,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4552 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4480,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4660,i,8688453934348414403,10188995631406317992,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4048 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5591af5-f90e-40cc-8537-f49aebc3dd14} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" gpu
3⤵
PID:5928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7618e98f-7320-41aa-8651-5e61f54288ad} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" socket
3⤵
- Checks processor information in registry
PID:5372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3320 -childID 1 -isForBrowser -prefsHandle 1400 -prefMapHandle 3284 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1d88746-be20-48ca-8cb1-cf7d3c9cfaf7} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
3⤵
PID:4176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4292 -childID 2 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d277206f-a046-40b5-91f6-5c0650c11885} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
3⤵
PID:2732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4936 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4920 -prefsLen 30998 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43012df8-4e46-4d63-8425-0932a6e95eaa} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" utility
3⤵
- Checks processor information in registry
PID:960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {089a9f31-ba58-41a2-8e4a-bd3507f28c5a} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
3⤵
PID:6060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5456 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fadf2c13-90f8-477d-9842-653df55e5978} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
3⤵
PID:5312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5612 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2344e526-74cf-4993-b1a8-15545b7126bb} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
3⤵
PID:3828

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 25481 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c5448d-72d4-4907-95d8-4bb613bdac44} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" gpu
3⤵
PID:1632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 25517 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff67ce27-a669-485a-95ad-b7b4c5a0b869} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" socket
3⤵
- Checks processor information in registry
PID:2524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1604 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2772 -prefsLen 25658 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e05af8f-2488-4859-80c9-a90665adc445} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 30891 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0912112-5182-430b-81c0-69e929615162} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:3864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 1592 -prefsLen 30945 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84043f76-3971-4774-93a5-8531d61b93e4} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" utility
3⤵
- Checks processor information in registry
PID:5560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5136 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d03e1c6-92c1-43f3-9529-6f6ae5bb7d10} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d1c6d4-798b-4a96-8073-fc87d1d791f5} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:1940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbcb43cf-95d6-42a8-b978-e3b8437e0846} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 6 -isForBrowser -prefsHandle 2320 -prefMapHandle 6008 -prefsLen 27044 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab0b56e-ed5b-4bec-8c85-a58b08979776} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:3008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 7 -isForBrowser -prefsHandle 5908 -prefMapHandle 5192 -prefsLen 27910 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8dec277-1784-4c93-8ba7-2fa57360af9d} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:2448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6568 -childID 8 -isForBrowser -prefsHandle 6528 -prefMapHandle 6548 -prefsLen 27910 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {489fa744-4a89-4692-932f-3003d298f434} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:2976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 9 -isForBrowser -prefsHandle 5272 -prefMapHandle 3096 -prefsLen 27910 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e37db436-996e-4e39-b2a5-cd86a1c3e8ac} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6092 -childID 10 -isForBrowser -prefsHandle 4676 -prefMapHandle 5180 -prefsLen 27910 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1c4559-2b7b-44a3-9125-7be155551358} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
3⤵
PID:1860

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
3⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
3⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
1⤵
- Executes dropped EXE
PID:5124

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
1⤵
- Executes dropped EXE
PID:1972

C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
1⤵
- Executes dropped EXE
PID:3540

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:5328

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery