amadey | 39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exe39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exe49a0a6717b.exeamert.exeexplorha.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	49a0a6717b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

85 5728 rundll32.exe
95 5824 rundll32.exe
109 2060 rundll32.exe
110 2916 rundll32.exe
Downloads MZ/PE file

flow	pid	process
85	5728	rundll32.exe
95	5824	rundll32.exe
109	2060	rundll32.exe
110	2916	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorha.exeamert.exeexplorha.exe49a0a6717b.exeexplorha.exeexplorha.exe39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	49a0a6717b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	49a0a6717b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 8 IoCs

Processes:

explorha.exe49a0a6717b.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

4864 explorha.exe
5076 49a0a6717b.exe
4876 go.exe
1028 amert.exe
4568 explorha.exe
5656 explorgu.exe
5796 explorha.exe
5748 explorha.exe

pid	process
4864	explorha.exe
5076	49a0a6717b.exe
4876	go.exe
1028	amert.exe
4568	explorha.exe
5656	explorgu.exe
5796	explorha.exe
5748	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exe39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exe49a0a6717b.exeamert.exeexplorha.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	49a0a6717b.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorgu.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5960 rundll32.exe
5824 rundll32.exe
5728 rundll32.exe
4212 rundll32.exe
2060 rundll32.exe
2916 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5960	rundll32.exe
5824	rundll32.exe
5728	rundll32.exe
4212	rundll32.exe
2060	rundll32.exe
2916	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49a0a6717b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\49a0a6717b.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid	process
2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
4864	explorha.exe
1028	amert.exe
4568	explorha.exe
5656	explorgu.exe
5796	explorha.exe
5748	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exeexplorha.exeexplorgu.exepowershell.exeidentity_helper.exerundll32.exepowershell.exeexplorha.exemsedge.exeexplorha.exe

pid	process
2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
4864	explorha.exe
4864	explorha.exe
1356	msedge.exe
1356	msedge.exe
1988	msedge.exe
1988	msedge.exe
5200	msedge.exe
5200	msedge.exe
4992	msedge.exe
4992	msedge.exe
1028	amert.exe
1028	amert.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
4568	explorha.exe
4568	explorha.exe
5656	explorgu.exe
5656	explorgu.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
5824	rundll32.exe
5776	powershell.exe
5776	powershell.exe
5776	powershell.exe
1868	identity_helper.exe
1868	identity_helper.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5796	explorha.exe
5796	explorha.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5748	explorha.exe
5748	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5776 powershell.exe
Token: SeDebugPrivilege 5480 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5776	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exego.exemsedge.exeamert.exe

pid	process
2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
4876	go.exe
4876	go.exe
4876	go.exe
4876	go.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
1028	amert.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

go.exemsedge.exe

pid	process
4876	go.exe
4876	go.exe
4876	go.exe
4876	go.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2352 wrote to memory of 4864	2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 2352 wrote to memory of 4864	2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 2352 wrote to memory of 4864	2352	39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe	explorha.exe
PID 4864 wrote to memory of 5076	4864	explorha.exe	49a0a6717b.exe
PID 4864 wrote to memory of 5076	4864	explorha.exe	49a0a6717b.exe
PID 4864 wrote to memory of 5076	4864	explorha.exe	49a0a6717b.exe
PID 4864 wrote to memory of 4044	4864	explorha.exe	explorha.exe
PID 4864 wrote to memory of 4044	4864	explorha.exe	explorha.exe
PID 4864 wrote to memory of 4044	4864	explorha.exe	explorha.exe
PID 4864 wrote to memory of 4876	4864	explorha.exe	go.exe
PID 4864 wrote to memory of 4876	4864	explorha.exe	go.exe
PID 4864 wrote to memory of 4876	4864	explorha.exe	go.exe
PID 4876 wrote to memory of 488	4876	go.exe	msedge.exe
PID 4876 wrote to memory of 488	4876	go.exe	msedge.exe
PID 4876 wrote to memory of 4380	4876	go.exe	msedge.exe
PID 4876 wrote to memory of 4380	4876	go.exe	msedge.exe
PID 4876 wrote to memory of 4992	4876	go.exe	msedge.exe
PID 4876 wrote to memory of 4992	4876	go.exe	msedge.exe
PID 488 wrote to memory of 3668	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3668	488	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4400	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4400	4380	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4612	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4612	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4824	4992	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe
"C:\Users\Admin\AppData\Local\Temp\39a58a4549ee1eedcee35a637d524761c70bfc878abd451c56fb9fd4b439ea71.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\1000042001\49a0a6717b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\49a0a6717b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:5076
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Suspicious use of WriteProcessMemory
      PID:488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeec946f8,0x7fffeec94708,0x7fffeec94718
        5⤵
        
        PID:3668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,8292981425697444425,8507310395414898620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:3592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,8292981425697444425,8507310395414898620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffeec946f8,0x7fffeec94708,0x7fffeec94718
        5⤵
        
        PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8364104834684712436,4983527113924223293,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8364104834684712436,4983527113924223293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffeec946f8,0x7fffeec94708,0x7fffeec94718
        5⤵
        
        PID:4612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
        5⤵
        
        PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:5220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        5⤵
        
        PID:5620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
        5⤵
        
        PID:5872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        5⤵
        
        PID:6088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        5⤵
        
        PID:3900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        5⤵
        
        PID:4800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16254492669935307489,2267653810008317645,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5840
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1028
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5960
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5824
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5776
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5656
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:4212
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5480
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2916

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5796

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion