amadey | 8c207b724ee5d0febaa25aadf3861b31e3740412da99dfd53e5518db47082312

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingCFIEBKEHCA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingDAECAECFCA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingDAECAECFCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingCFIEBKEHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingCFIEBKEHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingDAECAECFCA.exe

Executes dropped EXE 13 IoCs

pid	Process
756	RoamingCFIEBKEHCA.exe
1368	RoamingDAECAECFCA.exe
544	axplong.exe
1100	explorti.exe
2452	63f7f5950a.exe
2296	7776e1838a.exe
1696	build.exe
3332	stub.exe
888	crypted.exe
3160	5447jsX.exe
576	crypteda.exe
3308	2.exe
3884	25072023.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	RoamingCFIEBKEHCA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	RoamingDAECAECFCA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	axplong.exe

Loads dropped DLL 30 IoCs

pid	Process
2200	file.exe
2200	file.exe
864	cmd.exe
2404	cmd.exe
756	RoamingCFIEBKEHCA.exe
1368	RoamingDAECAECFCA.exe
1100	explorti.exe
1100	explorti.exe
1100	explorti.exe
1100	explorti.exe
544	axplong.exe
1696	build.exe
3332	stub.exe
544	axplong.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
544	axplong.exe
544	axplong.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
544	axplong.exe
544	axplong.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
544	axplong.exe
544	axplong.exe
544	axplong.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\63f7f5950a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\63f7f5950a.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\7776e1838a.exe = "C:\\Users\\Admin\\1000003002\\7776e1838a.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
756	RoamingCFIEBKEHCA.exe
1368	RoamingDAECAECFCA.exe
544	axplong.exe
1100	explorti.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	RoamingDAECAECFCA.exe
File created	C:\Windows\Tasks\axplong.job	RoamingCFIEBKEHCA.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001937b-743.dat	pyinstaller
behavioral1/files/0x0008000000012100-894.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2212	888	WerFault.exe	68
1712	3160	WerFault.exe	70
2572	576	WerFault.exe	73

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingCFIEBKEHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingDAECAECFCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63f7f5950a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7776e1838a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5447jsX.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	25072023.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	25072023.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2200	file.exe
2200	file.exe
756	RoamingCFIEBKEHCA.exe
1368	RoamingDAECAECFCA.exe
544	axplong.exe
1100	explorti.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeDebugPrivilege	1492	firefox.exe
Token: SeDebugPrivilege	1492	firefox.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
756	RoamingCFIEBKEHCA.exe
1368	RoamingDAECAECFCA.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1492	firefox.exe
1492	firefox.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1492	firefox.exe
1492	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1492	firefox.exe
1492	firefox.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 864	2200	file.exe	31
PID 2200 wrote to memory of 864	2200	file.exe	31
PID 2200 wrote to memory of 864	2200	file.exe	31
PID 2200 wrote to memory of 864	2200	file.exe	31
PID 864 wrote to memory of 756	864	cmd.exe	33
PID 864 wrote to memory of 756	864	cmd.exe	33
PID 864 wrote to memory of 756	864	cmd.exe	33
PID 864 wrote to memory of 756	864	cmd.exe	33
PID 2200 wrote to memory of 2404	2200	file.exe	34
PID 2200 wrote to memory of 2404	2200	file.exe	34
PID 2200 wrote to memory of 2404	2200	file.exe	34
PID 2200 wrote to memory of 2404	2200	file.exe	34
PID 2404 wrote to memory of 1368	2404	cmd.exe	36
PID 2404 wrote to memory of 1368	2404	cmd.exe	36
PID 2404 wrote to memory of 1368	2404	cmd.exe	36
PID 2404 wrote to memory of 1368	2404	cmd.exe	36
PID 756 wrote to memory of 544	756	RoamingCFIEBKEHCA.exe	37
PID 756 wrote to memory of 544	756	RoamingCFIEBKEHCA.exe	37
PID 756 wrote to memory of 544	756	RoamingCFIEBKEHCA.exe	37
PID 756 wrote to memory of 544	756	RoamingCFIEBKEHCA.exe	37
PID 1368 wrote to memory of 1100	1368	RoamingDAECAECFCA.exe	38
PID 1368 wrote to memory of 1100	1368	RoamingDAECAECFCA.exe	38
PID 1368 wrote to memory of 1100	1368	RoamingDAECAECFCA.exe	38
PID 1368 wrote to memory of 1100	1368	RoamingDAECAECFCA.exe	38
PID 1100 wrote to memory of 2452	1100	explorti.exe	40
PID 1100 wrote to memory of 2452	1100	explorti.exe	40
PID 1100 wrote to memory of 2452	1100	explorti.exe	40
PID 1100 wrote to memory of 2452	1100	explorti.exe	40
PID 1100 wrote to memory of 2296	1100	explorti.exe	41
PID 1100 wrote to memory of 2296	1100	explorti.exe	41
PID 1100 wrote to memory of 2296	1100	explorti.exe	41
PID 1100 wrote to memory of 2296	1100	explorti.exe	41
PID 2296 wrote to memory of 1076	2296	7776e1838a.exe	42
PID 2296 wrote to memory of 1076	2296	7776e1838a.exe	42
PID 2296 wrote to memory of 1076	2296	7776e1838a.exe	42
PID 2296 wrote to memory of 1076	2296	7776e1838a.exe	42
PID 1076 wrote to memory of 1672	1076	cmd.exe	44
PID 1076 wrote to memory of 1672	1076	cmd.exe	44
PID 1076 wrote to memory of 1672	1076	cmd.exe	44
PID 1076 wrote to memory of 1676	1076	cmd.exe	45
PID 1076 wrote to memory of 1676	1076	cmd.exe	45
PID 1076 wrote to memory of 1676	1076	cmd.exe	45
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1672 wrote to memory of 2756	1672	chrome.exe	47
PID 1672 wrote to memory of 2756	1672	chrome.exe	47
PID 1672 wrote to memory of 2756	1672	chrome.exe	47
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1676 wrote to memory of 1492	1676	firefox.exe	46
PID 1492 wrote to memory of 3008	1492	firefox.exe	48
PID 1492 wrote to memory of 3008	1492	firefox.exe	48
PID 1492 wrote to memory of 3008	1492	firefox.exe	48
PID 1492 wrote to memory of 620	1492	firefox.exe	50
PID 1492 wrote to memory of 620	1492	firefox.exe	50
PID 1492 wrote to memory of 620	1492	firefox.exe	50
PID 1492 wrote to memory of 620	1492	firefox.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingCFIEBKEHCA.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\RoamingCFIEBKEHCA.exe
    "C:\Users\Admin\AppData\RoamingCFIEBKEHCA.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:544
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\onefile_1696_133664565499450000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 108
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 64
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 64
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"
        5⤵
        Executes dropped EXE
        
        PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        5⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        6⤵
        
        PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
        5⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
        6⤵
        
        PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe"
        5⤵
        
        PID:3164
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        6⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        7⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        8⤵
        
        PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingDAECAECFCA.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\RoamingDAECAECFCA.exe
    "C:\Users\Admin\AppData\RoamingDAECAECFCA.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\63f7f5950a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\63f7f5950a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
    - - C:\Users\Admin\1000003002\7776e1838a.exe
        
        "C:\Users\Admin\1000003002\7776e1838a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D059.tmp\D05A.tmp\D05B.bat C:\Users\Admin\1000003002\7776e1838a.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6689758,0x7fef6689768,0x7fef6689778
        8⤵
        
        PID:2756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:2
        8⤵
        
        PID:2824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:8
        8⤵
        
        PID:2416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:8
        8⤵
        
        PID:2156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2136 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:1
        8⤵
        
        PID:1452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:1
        8⤵
        
        PID:2056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:2
        8⤵
        
        PID:3536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3076 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:1
        8⤵
        
        PID:3900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1360,i,12232071203230859592,16137596590130063267,131072 /prefetch:8
        8⤵
        
        PID:1868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.0.1116494865\1702045689" -parentBuildID 20221007134813 -prefsHandle 1264 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b7cd31-4be0-4a76-b96d-2cc8903f95b9} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1364 105d8258 gpu
        9⤵
        
        PID:3008
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.1.794521591\1629928733" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcb9d5c6-ce85-4369-a934-6b6a1ddd8b73} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1544 9eeb258 socket
        9⤵
        
        PID:620
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.2.1295260332\1150255653" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a63436f5-3d1c-4828-90dd-5613f3e661fb} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 2092 1acb3858 tab
        9⤵
        
        PID:1344
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.3.1298860153\2069691182" -childID 2 -isForBrowser -prefsHandle 672 -prefMapHandle 544 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ae9901-4038-4eaf-a6ae-5269919ab8f3} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 2656 e69558 tab
        9⤵
        
        PID:1544
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.4.973740096\1621883236" -childID 3 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e595ab92-c99d-4607-a2ec-8f92f12d04e6} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3704 2186f858 tab
        9⤵
        
        PID:3996
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.5.502118500\968533327" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3d03097-165a-4c4a-88cb-9315ae00dec9} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3804 2186fb58 tab
        9⤵
        
        PID:4004
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.6.431317061\1638362174" -childID 5 -isForBrowser -prefsHandle 3980 -prefMapHandle 3984 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3681ad08-244b-464e-8b43-1aeb24de05eb} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3968 21871358 tab
        9⤵
        
        PID:4012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion