stealc | 0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42

Processes:

chrome.exechrome.exemsedge.exemsedge.exechrome.exechrome.exemsedge.exemsedge.exemsedge.exechrome.exe

pid	process
992	chrome.exe
2692	chrome.exe
3248	msedge.exe
3108	msedge.exe
1680	chrome.exe
3652	chrome.exe
4488	msedge.exe
2108	msedge.exe
4972	msedge.exe
3280	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe

Executes dropped EXE 1 IoCs

Processes:

KEGCFCAKFH.exe

pid process

2160 KEGCFCAKFH.exe

pid	process
2160	KEGCFCAKFH.exe

Loads dropped DLL 2 IoCs

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe

pid	process
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exeKEGCFCAKFH.exe

description	pid	process	target process
PID 2248 set thread context of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2996 set thread context of 3248	2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	cmd.exe
PID 2160 set thread context of 2880	2160	KEGCFCAKFH.exe	InstallUtil.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exetimeout.exeInstallUtil.exe0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exeKEGCFCAKFH.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KEGCFCAKFH.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2980 timeout.exe

pid	process
2980	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764710585156307"	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeKEGCFCAKFH.exeidentity_helper.exe

pid	process
2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
3280	chrome.exe
3280	chrome.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
4960	msedge.exe
4960	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
2376	msedge.exe
2376	msedge.exe
412	msedge.exe
412	msedge.exe
2160	KEGCFCAKFH.exe
2160	KEGCFCAKFH.exe
5520	identity_helper.exe
5520	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exechrome.exeKEGCFCAKFH.exe

description	pid	process
Token: SeDebugPrivilege	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Token: SeDebugPrivilege	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeShutdownPrivilege	3280	chrome.exe
Token: SeCreatePagefilePrivilege	3280	chrome.exe
Token: SeDebugPrivilege	2160	KEGCFCAKFH.exe
Token: SeDebugPrivilege	2160	KEGCFCAKFH.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exechrome.exe

description	pid	process	target process
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2248 wrote to memory of 2996	2248	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
PID 2996 wrote to memory of 3280	2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	chrome.exe
PID 2996 wrote to memory of 3280	2996	0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe	chrome.exe
PID 3280 wrote to memory of 3720	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 3720	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 2224	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 628	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 628	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe
PID 3280 wrote to memory of 4092	3280	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
  "C:\Users\Admin\AppData\Local\Temp\0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe
  "C:\Users\Admin\AppData\Local\Temp\0707e1bdf27a68bfcddd52818d0a1091d1e1b711ee01a279eb0ea140af3b7d42.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8159cc40,0x7ffa8159cc4c,0x7ffa8159cc58
      4⤵
      PID:3720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
      4⤵
      PID:2224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      PID:628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2268 /prefetch:8
      4⤵
      PID:4092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3652
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
      4⤵
      PID:4584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
      4⤵
      PID:2488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
      4⤵
      PID:4500
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:8
      4⤵
      PID:1260
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
      4⤵
      PID:4656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
      4⤵
      PID:2488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5352,i,13019186835121618491,13577915441082443559,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa80dd46f8,0x7ffa80dd4708,0x7ffa80dd4718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:1140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,6243029208987114635,10707362731010181855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4972
- - C:\ProgramData\KEGCFCAKFH.exe
    "C:\ProgramData\KEGCFCAKFH.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cmd.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa80dd46f8,0x7ffa80dd4708,0x7ffa80dd4718
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        5⤵
        
        PID:1676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:4936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:2136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
        5⤵
        
        PID:5212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        5⤵
        
        PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
        5⤵
        
        PID:5652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        
        PID:5936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        5⤵
        
        PID:4584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12264960180681873002,3251616053702025684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        5⤵
        
        PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cmd.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa80dd46f8,0x7ffa80dd4708,0x7ffa80dd4718
        5⤵
        
        PID:5608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECFCBFBGDBKJ" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery