xworm | hxxps://cdn[.]discordapp[.]com/attachments/1269727972244455596/1301199340798476300/MEMORY_CODE_STEALER_FROM_EXE[.]exe?ex=672e27d1&is=672cd651&hm=c44e7e1e68603495d2e7f1c5da5b9c5faf33a804bda58ba00035a8edd087c185&

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MEMORY CODE STEALER FROM EXE.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MEMORY CODE STEALER FROM EXE.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	MEMORY CODE STEALER FROM EXE.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	MEMORY CODE STEALER FROM EXE.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MEMORY CODE STEALER FROM EXE.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MEMORY CODE STEALER FROM EXE.exe

Executes dropped EXE 6 IoCs

pid	Process
2860	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5332	svchost.exe
5660	MEMORY CODE STEALER FROM EXE.exe
5716	MEMORY CODE STEALER FROM EXE.exe
5836	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MEMORY CODE STEALER FROM EXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MEMORY CODE STEALER FROM EXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MEMORY CODE STEALER FROM EXE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	MEMORY CODE STEALER FROM EXE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MEMORY CODE STEALER FROM EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MEMORY CODE STEALER FROM EXE.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sin confirmar 862623.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
1800	msedge.exe
1800	msedge.exe
1968	identity_helper.exe
1968	identity_helper.exe
1012	msedge.exe
1012	msedge.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5716	MEMORY CODE STEALER FROM EXE.exe
5716	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5716	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe
5200	MEMORY CODE STEALER FROM EXE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5332	svchost.exe
Token: SeDebugPrivilege	5200	MEMORY CODE STEALER FROM EXE.exe
Token: SeDebugPrivilege	5836	svchost.exe
Token: SeDebugPrivilege	5716	MEMORY CODE STEALER FROM EXE.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4672	1800	msedge.exe	83
PID 1800 wrote to memory of 4672	1800	msedge.exe	83
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 3460	1800	msedge.exe	84
PID 1800 wrote to memory of 4580	1800	msedge.exe	85
PID 1800 wrote to memory of 4580	1800	msedge.exe	85
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86
PID 1800 wrote to memory of 1320	1800	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1269727972244455596/1301199340798476300/MEMORY_CODE_STEALER_FROM_EXE.exe?ex=672e27d1&is=672cd651&hm=c44e7e1e68603495d2e7f1c5da5b9c5faf33a804bda58ba00035a8edd087c185&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff418946f8,0x7fff41894708,0x7fff41894718
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,17829248561190899296,13280414679401619683,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Users\Admin\Downloads\MEMORY CODE STEALER FROM EXE.exe
  "C:\Users\Admin\Downloads\MEMORY CODE STEALER FROM EXE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2860
- - C:\Users\Admin\MEMORY CODE STEALER FROM EXE.exe
    "C:\Users\Admin\MEMORY CODE STEALER FROM EXE.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- - C:\Users\Admin\svchost.exe
    "C:\Users\Admin\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5332
- C:\Users\Admin\Downloads\MEMORY CODE STEALER FROM EXE.exe
  "C:\Users\Admin\Downloads\MEMORY CODE STEALER FROM EXE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5660
- - C:\Users\Admin\MEMORY CODE STEALER FROM EXE.exe
    "C:\Users\Admin\MEMORY CODE STEALER FROM EXE.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5716
- - C:\Users\Admin\svchost.exe
    "C:\Users\Admin\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion