142482b54e8df90d91524768c5df2009899da7d011d6eff3082c9d4b26368a97

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Renames multiple (101) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.txt	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.html	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4832423edb11.lnk	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\#DECRYPT_MY_FILES#.BMP"	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
4984	msedge.exe
4984	msedge.exe
1476	identity_helper.exe
1476	identity_helper.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe
Token: 33	5076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5076	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2060	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	86
PID 3372 wrote to memory of 2060	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	86
PID 3372 wrote to memory of 2060	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	86
PID 2060 wrote to memory of 5036	2060	cmd.exe	88
PID 2060 wrote to memory of 5036	2060	cmd.exe	88
PID 2060 wrote to memory of 5036	2060	cmd.exe	88
PID 3372 wrote to memory of 2340	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 3372 wrote to memory of 2340	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 3372 wrote to memory of 2340	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	93
PID 3372 wrote to memory of 1448	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	94
PID 3372 wrote to memory of 1448	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	94
PID 3372 wrote to memory of 1448	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	94
PID 3372 wrote to memory of 4984	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	95
PID 3372 wrote to memory of 4984	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	95
PID 4984 wrote to memory of 4100	4984	msedge.exe	96
PID 4984 wrote to memory of 4100	4984	msedge.exe	96
PID 3372 wrote to memory of 1712	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	97
PID 3372 wrote to memory of 1712	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	97
PID 3372 wrote to memory of 1712	3372	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	97
PID 1712 wrote to memory of 2064	1712	cmd.exe	99
PID 1712 wrote to memory of 2064	1712	cmd.exe	99
PID 1712 wrote to memory of 2064	1712	cmd.exe	99
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 844	4984	msedge.exe	100
PID 4984 wrote to memory of 1604	4984	msedge.exe	101
PID 4984 wrote to memory of 1604	4984	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
"C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
  2⤵
  PID:2340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4e3446f8,0x7ffd4e344708,0x7ffd4e344718
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    PID:2132
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13829419100054789655,1704984424474751066,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion