redline | hxxps://www[.]goflle[.]io/d/8MLl89

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	perm.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	perm.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	perm.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	perm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	perm.exe

Executes dropped EXE 2 IoCs

pid	Process
4716	perm.exe
4924	perm.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	perm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	perm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	perm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	perm.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241215123218.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\af4bc93a-574c-4c26-9631-76ad780b2d0f.tmp	setup.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5060	sc.exe
3016	sc.exe
1388	sc.exe
2072	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
4124	taskkill.exe
4172	taskkill.exe
4764	taskkill.exe
4164	taskkill.exe
3080	taskkill.exe
2448	taskkill.exe
3140	taskkill.exe
1608	taskkill.exe
4812	taskkill.exe
240	taskkill.exe
4100	taskkill.exe
1068	taskkill.exe
2452	taskkill.exe
2720	taskkill.exe
1104	taskkill.exe
1712	taskkill.exe
4084	taskkill.exe
2596	taskkill.exe
4668	taskkill.exe
4048	taskkill.exe
4728	taskkill.exe
1872	taskkill.exe
820	taskkill.exe
3204	taskkill.exe
3996	taskkill.exe
2220	taskkill.exe
3524	taskkill.exe
3424	taskkill.exe
2468	taskkill.exe
4664	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 789176.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1884	msedge.exe
1884	msedge.exe
4216	identity_helper.exe
4216	identity_helper.exe
4692	msedge.exe
4692	msedge.exe
4716	perm.exe
4924	perm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe
Token: SeIncBasePriorityPrivilege	4716	perm.exe
Token: 33	4716	perm.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1716	1884	msedge.exe	80
PID 1884 wrote to memory of 1716	1884	msedge.exe	80
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 3684	1884	msedge.exe	81
PID 1884 wrote to memory of 1128	1884	msedge.exe	82
PID 1884 wrote to memory of 1128	1884	msedge.exe	82
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83
PID 1884 wrote to memory of 2484	1884	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.goflle.io/d/8MLl89
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc167a46f8,0x7ffc167a4708,0x7ffc167a4718
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff600595460,0x7ff600595470,0x7ff600595480
    3⤵
    PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,1314822187945336721,4224289585002222600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:116

C:\Users\Admin\Downloads\perm.exe
"C:\Users\Admin\Downloads\perm.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3080

C:\Users\Admin\Desktop\perm.exe
"C:\Users\Admin\Desktop\perm.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4924
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion