amadey | 9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DHCAAEBKEG.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DHCAAEBKEG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DHCAAEBKEG.exe

Executes dropped EXE 3 IoCs

pid	Process
2416	DHCAAEBKEG.exe
1296	explorti.exe
1868	7e6322319d.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	DHCAAEBKEG.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	explorti.exe

Loads dropped DLL 6 IoCs

pid	Process
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2864	cmd.exe
2416	DHCAAEBKEG.exe
1296	explorti.exe
1296	explorti.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2416	DHCAAEBKEG.exe
1296	explorti.exe
1868	7e6322319d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	DHCAAEBKEG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
2416	DHCAAEBKEG.exe
1296	explorti.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeDebugPrivilege	960	firefox.exe
Token: SeDebugPrivilege	960	firefox.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2416	DHCAAEBKEG.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
1868	7e6322319d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2864	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	29
PID 2732 wrote to memory of 2864	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	29
PID 2732 wrote to memory of 2864	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	29
PID 2732 wrote to memory of 2864	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	29
PID 2732 wrote to memory of 1196	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	31
PID 2732 wrote to memory of 1196	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	31
PID 2732 wrote to memory of 1196	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	31
PID 2732 wrote to memory of 1196	2732	9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe	31
PID 2864 wrote to memory of 2416	2864	cmd.exe	33
PID 2864 wrote to memory of 2416	2864	cmd.exe	33
PID 2864 wrote to memory of 2416	2864	cmd.exe	33
PID 2864 wrote to memory of 2416	2864	cmd.exe	33
PID 2416 wrote to memory of 1296	2416	DHCAAEBKEG.exe	34
PID 2416 wrote to memory of 1296	2416	DHCAAEBKEG.exe	34
PID 2416 wrote to memory of 1296	2416	DHCAAEBKEG.exe	34
PID 2416 wrote to memory of 1296	2416	DHCAAEBKEG.exe	34
PID 1296 wrote to memory of 1868	1296	explorti.exe	35
PID 1296 wrote to memory of 1868	1296	explorti.exe	35
PID 1296 wrote to memory of 1868	1296	explorti.exe	35
PID 1296 wrote to memory of 1868	1296	explorti.exe	35
PID 1296 wrote to memory of 1892	1296	explorti.exe	37
PID 1296 wrote to memory of 1892	1296	explorti.exe	37
PID 1296 wrote to memory of 1892	1296	explorti.exe	37
PID 1296 wrote to memory of 1892	1296	explorti.exe	37
PID 1892 wrote to memory of 1028	1892	cmd.exe	39
PID 1892 wrote to memory of 1028	1892	cmd.exe	39
PID 1892 wrote to memory of 1028	1892	cmd.exe	39
PID 1892 wrote to memory of 1028	1892	cmd.exe	39
PID 1892 wrote to memory of 1280	1892	cmd.exe	40
PID 1892 wrote to memory of 1280	1892	cmd.exe	40
PID 1892 wrote to memory of 1280	1892	cmd.exe	40
PID 1892 wrote to memory of 1280	1892	cmd.exe	40
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1280 wrote to memory of 960	1280	firefox.exe	41
PID 1028 wrote to memory of 916	1028	chrome.exe	42
PID 1028 wrote to memory of 916	1028	chrome.exe	42
PID 1028 wrote to memory of 916	1028	chrome.exe	42
PID 960 wrote to memory of 2956	960	firefox.exe	44
PID 960 wrote to memory of 2956	960	firefox.exe	44
PID 960 wrote to memory of 2956	960	firefox.exe	44
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45
PID 1028 wrote to memory of 2708	1028	chrome.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe
"C:\Users\Admin\AppData\Local\Temp\9bcd9e7b8d3962b9c7e916adbf6a3607d5896fa4ddbfa93f66d2936c7bf4028a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHCAAEBKEG.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\DHCAAEBKEG.exe
    "C:\Users\Admin\AppData\Local\Temp\DHCAAEBKEG.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\7e6322319d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\7e6322319d.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\afaf5c9df2.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f09758,0x7fef5f09768,0x7fef5f09778
        7⤵
        
        PID:916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:2
        7⤵
        
        PID:2708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:8
        7⤵
        
        PID:2668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:8
        7⤵
        
        PID:2172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:1
        7⤵
        
        PID:2204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:1
        7⤵
        
        PID:1032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3192 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:1
        7⤵
        
        PID:1528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1280,i,106597986523736787,15075923614802631574,131072 /prefetch:2
        7⤵
        
        PID:3076
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.0.263225512\1301133334" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1204 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {468c829c-c3a1-4d24-bced-e0094d29bc70} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1296 110ef858 gpu
        8⤵
        
        PID:2956
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.1.203670452\1805062740" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {926d9e6d-3ef3-4cda-826d-a6577597ddee} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1512 d72e58 socket
        8⤵
        
        PID:2340
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.2.87711772\1761259567" -childID 1 -isForBrowser -prefsHandle 1132 -prefMapHandle 1972 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 748 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c472744-8bcd-407f-bdf3-3eff2308679a} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1840 19fa4458 tab
        8⤵
        
        PID:1332
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.3.1481607444\788847061" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2904 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 748 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51699e60-f99e-404b-8eb8-e715bb9beaee} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2920 1caf7558 tab
        8⤵
        
        PID:2972
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.4.611160882\1770856563" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3636 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 748 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bf00cdc-8e70-4a6e-aa53-a0dfa3633c58} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3596 1f250558 tab
        8⤵
        
        PID:3412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.5.2095172905\306221021" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 748 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd493c4-163a-4a0a-a1ef-fb44c60c41d7} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3788 1f24f058 tab
        8⤵
        
        PID:3424
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.6.1270935912\1374548646" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3696 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 748 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f009aca-904e-4070-91a1-ac83fa00d3de} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3972 1f250e58 tab
        8⤵
        
        PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe"
  2⤵
  PID:1196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion