gurcu | 66fc943f11f465b81234c1fd1a9dfecb87082fe2560a0b1865c2679a927c76c0

pid	Process
1088	chrome.exe
632	msedge.exe
4508	msedge.exe
5620	msedge.exe
3920	msedge.exe
4128	chrome.exe
2472	chrome.exe
3164	chrome.exe
5624	msedge.exe
2708	msedge.exe
5552	chrome.exe
2968	chrome.exe
2896	msedge.exe
2932	msedge.exe
5164	chrome.exe
4448	chrome.exe
1908	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	generated30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4820	svchost.exe
5844	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdater = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdater\\svchost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
30	raw.githubusercontent.com
40	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4924	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_632_809632238\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping632_1015769748\_locales\nl\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4800	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884422409020692"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{ADEC49A9-0E3D-44CE-9943-6004AE4229AA}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{23AB6038-D376-4ED7-B070-15A6CB89FCDB}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
2856	generated30.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
4820	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe
5844	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	generated30.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	4820	svchost.exe
Token: SeDebugPrivilege	5844	svchost.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe
Token: SeShutdownPrivilege	5552	chrome.exe
Token: SeCreatePagefilePrivilege	5552	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5552	chrome.exe
632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4480	2856	generated30.exe	94
PID 2856 wrote to memory of 4480	2856	generated30.exe	94
PID 4480 wrote to memory of 3436	4480	cmd.exe	96
PID 4480 wrote to memory of 3436	4480	cmd.exe	96
PID 4480 wrote to memory of 4924	4480	cmd.exe	97
PID 4480 wrote to memory of 4924	4480	cmd.exe	97
PID 4480 wrote to memory of 4832	4480	cmd.exe	98
PID 4480 wrote to memory of 4832	4480	cmd.exe	98
PID 4480 wrote to memory of 4800	4480	cmd.exe	99
PID 4480 wrote to memory of 4800	4480	cmd.exe	99
PID 4480 wrote to memory of 4820	4480	cmd.exe	101
PID 4480 wrote to memory of 4820	4480	cmd.exe	101
PID 4820 wrote to memory of 4676	4820	svchost.exe	104
PID 4820 wrote to memory of 4676	4820	svchost.exe	104
PID 4676 wrote to memory of 5548	4676	cmd.exe	106
PID 4676 wrote to memory of 5548	4676	cmd.exe	106
PID 4532 wrote to memory of 5844	4532	cmd.exe	109
PID 4532 wrote to memory of 5844	4532	cmd.exe	109
PID 4820 wrote to memory of 5552	4820	svchost.exe	110
PID 4820 wrote to memory of 5552	4820	svchost.exe	110
PID 5552 wrote to memory of 5644	5552	chrome.exe	111
PID 5552 wrote to memory of 5644	5552	chrome.exe	111
PID 5552 wrote to memory of 5956	5552	chrome.exe	112
PID 5552 wrote to memory of 5956	5552	chrome.exe	112
PID 5552 wrote to memory of 1396	5552	chrome.exe	113
PID 5552 wrote to memory of 1396	5552	chrome.exe	113
PID 5552 wrote to memory of 2440	5552	chrome.exe	114
PID 5552 wrote to memory of 2440	5552	chrome.exe	114
PID 5552 wrote to memory of 4128	5552	chrome.exe	115
PID 5552 wrote to memory of 4128	5552	chrome.exe	115
PID 5552 wrote to memory of 1088	5552	chrome.exe	117
PID 5552 wrote to memory of 1088	5552	chrome.exe	117
PID 5552 wrote to memory of 5164	5552	chrome.exe	118
PID 5552 wrote to memory of 5164	5552	chrome.exe	118
PID 5552 wrote to memory of 2472	5552	chrome.exe	119
PID 5552 wrote to memory of 2472	5552	chrome.exe	119
PID 5552 wrote to memory of 6112	5552	chrome.exe	120
PID 5552 wrote to memory of 6112	5552	chrome.exe	120
PID 5552 wrote to memory of 3368	5552	chrome.exe	121
PID 5552 wrote to memory of 3368	5552	chrome.exe	121
PID 5552 wrote to memory of 2692	5552	chrome.exe	123
PID 5552 wrote to memory of 2692	5552	chrome.exe	123
PID 5552 wrote to memory of 4448	5552	chrome.exe	124
PID 5552 wrote to memory of 4448	5552	chrome.exe	124
PID 5552 wrote to memory of 3164	5552	chrome.exe	125
PID 5552 wrote to memory of 3164	5552	chrome.exe	125
PID 5552 wrote to memory of 2968	5552	chrome.exe	126
PID 5552 wrote to memory of 2968	5552	chrome.exe	126
PID 5552 wrote to memory of 3420	5552	chrome.exe	136
PID 5552 wrote to memory of 3420	5552	chrome.exe	136
PID 5552 wrote to memory of 868	5552	chrome.exe	137
PID 5552 wrote to memory of 868	5552	chrome.exe	137
PID 5552 wrote to memory of 4652	5552	chrome.exe	138
PID 5552 wrote to memory of 4652	5552	chrome.exe	138
PID 4820 wrote to memory of 632	4820	svchost.exe	139
PID 4820 wrote to memory of 632	4820	svchost.exe	139
PID 632 wrote to memory of 2492	632	msedge.exe	140
PID 632 wrote to memory of 2492	632	msedge.exe	140
PID 632 wrote to memory of 4000	632	msedge.exe	141
PID 632 wrote to memory of 4000	632	msedge.exe	141
PID 632 wrote to memory of 5948	632	msedge.exe	142
PID 632 wrote to memory of 5948	632	msedge.exe	142
PID 632 wrote to memory of 4440	632	msedge.exe	143
PID 632 wrote to memory of 4440	632	msedge.exe	143

C:\Users\Admin\AppData\Local\Temp\generated30.exe
"C:\Users\Admin\AppData\Local\Temp\generated30.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp683F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp683F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2856"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4800
- - C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe
    "C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default" --headless --no-sandbox --disable-gpu
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5552
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff995c1dcf8,0x7ff995c1dd04,0x7ff995c1dd10
        5⤵
        
        PID:5644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2056,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2040 /prefetch:2
        5⤵
        
        PID:5956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2084,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        
        PID:1396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2360,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2356 /prefetch:8
        5⤵
        
        PID:2440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2964,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2960 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3004,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2996 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3712 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:5164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4104,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4100 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4620,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4616 /prefetch:8
        5⤵
        
        PID:6112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4724,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4584 /prefetch:8
        5⤵
        
        PID:3368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4944,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4808 /prefetch:8
        5⤵
        
        PID:2692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4628,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4636 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4992,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4632 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5060,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5056 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5264,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5108 /prefetch:8
        5⤵
        
        PID:3420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4680,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5064 /prefetch:8
        5⤵
        
        PID:868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5196,i,18060722455993188620,2959624084966403611,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        
        PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default" --headless --no-sandbox --disable-gpu
      4⤵
      Uses browser remote debugging
      Drops file in Program Files directory
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ff97ffdf208,0x7ff97ffdf214,0x7ff97ffdf220
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2192,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:4000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2204,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2360,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
        5⤵
        
        PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3348,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3372,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4592,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4708,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4896,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:8
        5⤵
        
        PID:5592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4816,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:8
        5⤵
        
        PID:4764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5008,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5028,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:8
        5⤵
        
        PID:4928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5752,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5804,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:8
        5⤵
        
        PID:2488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5804,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:8
        5⤵
        
        PID:1580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5988,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:8
        5⤵
        
        PID:5864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6040,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:5680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6216,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5236,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
        5⤵
        
        PID:544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4664,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
        5⤵
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6296,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4736,i,2319081846421482187,4647551992472472784,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
        5⤵
        
        PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe
  C:\Users\Admin\AppData\Local\AdobeUpdater\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5844

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery