amadey | e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svoutse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe

Executes dropped EXE 3 IoCs

pid	Process
3520	svoutse.exe
1156	c8d13228ca.exe
560	b2d09f4383.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	svoutse.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8d13228ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000009001\\c8d13228ca.exe"	svoutse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b2d09f4383.exe = "C:\\Users\\Admin\\1000010002\\b2d09f4383.exe"	svoutse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000011021\\file.cmd"	svoutse.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
3520	svoutse.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 3140	1156	c8d13228ca.exe	93

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\svoutse.job	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svoutse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8d13228ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2d09f4383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{CB648A70-9012-4663-BE2E-6B5411CFE0FF}	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
3520	svoutse.exe
3520	svoutse.exe
5452	msedge.exe
5452	msedge.exe
5624	msedge.exe
5624	msedge.exe
5720	chrome.exe
5720	chrome.exe
5640	chrome.exe
5640	chrome.exe
6148	msedge.exe
6148	msedge.exe
6148	msedge.exe
6148	msedge.exe
5640	chrome.exe
5640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5624	msedge.exe
5624	msedge.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeDebugPrivilege	1804	firefox.exe
Token: SeDebugPrivilege	1804	firefox.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe
1804	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5464 wrote to memory of 3520	5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe	87
PID 5464 wrote to memory of 3520	5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe	87
PID 5464 wrote to memory of 3520	5464	e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe	87
PID 3520 wrote to memory of 1156	3520	svoutse.exe	90
PID 3520 wrote to memory of 1156	3520	svoutse.exe	90
PID 3520 wrote to memory of 1156	3520	svoutse.exe	90
PID 1156 wrote to memory of 552	1156	c8d13228ca.exe	91
PID 1156 wrote to memory of 552	1156	c8d13228ca.exe	91
PID 1156 wrote to memory of 552	1156	c8d13228ca.exe	91
PID 1156 wrote to memory of 4392	1156	c8d13228ca.exe	92
PID 1156 wrote to memory of 4392	1156	c8d13228ca.exe	92
PID 1156 wrote to memory of 4392	1156	c8d13228ca.exe	92
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 1156 wrote to memory of 3140	1156	c8d13228ca.exe	93
PID 3520 wrote to memory of 560	3520	svoutse.exe	95
PID 3520 wrote to memory of 560	3520	svoutse.exe	95
PID 3520 wrote to memory of 560	3520	svoutse.exe	95
PID 3520 wrote to memory of 5496	3520	svoutse.exe	97
PID 3520 wrote to memory of 5496	3520	svoutse.exe	97
PID 3520 wrote to memory of 5496	3520	svoutse.exe	97
PID 5496 wrote to memory of 5720	5496	cmd.exe	99
PID 5496 wrote to memory of 5720	5496	cmd.exe	99
PID 5496 wrote to memory of 5624	5496	cmd.exe	100
PID 5496 wrote to memory of 5624	5496	cmd.exe	100
PID 5496 wrote to memory of 2544	5496	cmd.exe	101
PID 5496 wrote to memory of 2544	5496	cmd.exe	101
PID 5720 wrote to memory of 5600	5720	chrome.exe	102
PID 5720 wrote to memory of 5600	5720	chrome.exe	102
PID 5624 wrote to memory of 5356	5624	msedge.exe	104
PID 5624 wrote to memory of 5356	5624	msedge.exe	104
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 2544 wrote to memory of 1804	2544	firefox.exe	103
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105
PID 1804 wrote to memory of 228	1804	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe
"C:\Users\Admin\AppData\Local\Temp\e8f71cbcf6e0de49306f7abb28dd2d91546f4866fce7107f469e5a286f2e142a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
  "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\1000009001\c8d13228ca.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\c8d13228ca.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3140
- - C:\Users\Admin\1000010002\b2d09f4383.exe
    "C:\Users\Admin\1000010002\b2d09f4383.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000011021\file.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffaa105cc40,0x7ffaa105cc4c,0x7ffaa105cc58
        5⤵
        
        PID:5600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2
        5⤵
        
        PID:5980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:3
        5⤵
        
        PID:444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2092 /prefetch:8
        5⤵
        
        PID:5328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
        5⤵
        
        PID:3016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        
        PID:5732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
        5⤵
        
        PID:7120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4624,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:8
        5⤵
        
        PID:7112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:7148
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5076,i,13070238619950779740,13336364568562279458,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=844 /prefetch:8
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa928e46f8,0x7ffa928e4708,0x7ffa928e4718
        5⤵
        
        PID:5356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:3748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
        5⤵
        
        PID:3664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        
        PID:4932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15493509305853644395,18263559184473185345,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cea0f1e-c17d-4f95-a20e-8ec003e0783e} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" gpu
        6⤵
        
        PID:228
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73003e72-84d2-4390-af28-3a150e8a1608} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" socket
        6⤵
        
        PID:1900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a6b5d32-7b88-4eea-b641-cc1d81ec2d50} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:5832
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1492 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3144 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca005fec-251b-4cc2-8259-47bf7e52ffcf} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:5560
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4220 -prefMapHandle 4240 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f4173d-ed56-4eb9-ba97-24f13403cd5e} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" utility
        6⤵
        Checks processor information in registry
        
        PID:6344
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27129 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89a119bc-a53b-4159-8e08-b818cd5b9b9b} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:2624
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 4 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 27129 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bb23e2-c30e-4769-9334-197470a377db} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:5764
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27129 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {241a2983-3848-4fff-99b3-d854599248d7} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:4840
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 5560 -prefsLen 27129 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56c77d34-798a-445a-af3d-0ec687320e85} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" tab
        6⤵
        
        PID:5320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion