amadey | ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e

Virtualization/Sandbox Evasion

Processes:

bf99510ac7.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf99510ac7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

74 2740 rundll32.exe
83 5228 rundll32.exe
96 5160 rundll32.exe
101 4436 rundll32.exe
Downloads MZ/PE file

flow	pid	process
74	2740	rundll32.exe
83	5228	rundll32.exe
96	5160	rundll32.exe
101	4436	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorgu.exeexplorha.exeamert.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exebf99510ac7.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf99510ac7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf99510ac7.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 8 IoCs

Processes:

explorha.exebf99510ac7.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

312 explorha.exe
1800 bf99510ac7.exe
2340 go.exe
5256 amert.exe
772 explorha.exe
4588 explorgu.exe
6004 explorha.exe
1360 explorha.exe

pid	process
312	explorha.exe
1800	bf99510ac7.exe
2340	go.exe
5256	amert.exe
772	explorha.exe
4588	explorgu.exe
6004	explorha.exe
1360	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorgu.exeexplorha.exeexplorha.execa0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exebf99510ac7.exeamert.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	bf99510ac7.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4332 rundll32.exe
2740 rundll32.exe
5228 rundll32.exe
1188 rundll32.exe
5160 rundll32.exe
4436 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4332	rundll32.exe
2740	rundll32.exe
5228	rundll32.exe
1188	rundll32.exe
5160	rundll32.exe
4436	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf99510ac7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\bf99510ac7.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid	process
916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
312	explorha.exe
5256	amert.exe
772	explorha.exe
4588	explorgu.exe
6004	explorha.exe
1360	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exeidentity_helper.exepowershell.exeexplorha.exeexplorgu.exerundll32.exepowershell.exeexplorha.exemsedge.exeexplorha.exe

pid	process
916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
312	explorha.exe
312	explorha.exe
4344	msedge.exe
4344	msedge.exe
1528	msedge.exe
1528	msedge.exe
2448	msedge.exe
2448	msedge.exe
5256	amert.exe
5256	amert.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
5508	identity_helper.exe
5508	identity_helper.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe
772	explorha.exe
772	explorha.exe
4588	explorgu.exe
4588	explorgu.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5160	rundll32.exe
5136	powershell.exe
5136	powershell.exe
5136	powershell.exe
6004	explorha.exe
6004	explorha.exe
4516	msedge.exe
4516	msedge.exe
4516	msedge.exe
4516	msedge.exe
1360	explorha.exe
1360	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5612 powershell.exe
Token: SeDebugPrivilege 5136 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeDebugPrivilege	5136	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

go.exemsedge.exe

pid	process
2340	go.exe
2340	go.exe
2340	go.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

go.exemsedge.exe

pid	process
2340	go.exe
2340	go.exe
2340	go.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 916 wrote to memory of 312	916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 916 wrote to memory of 312	916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 916 wrote to memory of 312	916	ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe	explorha.exe
PID 312 wrote to memory of 1800	312	explorha.exe	bf99510ac7.exe
PID 312 wrote to memory of 1800	312	explorha.exe	bf99510ac7.exe
PID 312 wrote to memory of 1800	312	explorha.exe	bf99510ac7.exe
PID 312 wrote to memory of 3820	312	explorha.exe	explorha.exe
PID 312 wrote to memory of 3820	312	explorha.exe	explorha.exe
PID 312 wrote to memory of 3820	312	explorha.exe	explorha.exe
PID 312 wrote to memory of 2340	312	explorha.exe	go.exe
PID 312 wrote to memory of 2340	312	explorha.exe	go.exe
PID 312 wrote to memory of 2340	312	explorha.exe	go.exe
PID 2340 wrote to memory of 4056	2340	go.exe	msedge.exe
PID 2340 wrote to memory of 4056	2340	go.exe	msedge.exe
PID 4056 wrote to memory of 832	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 832	4056	msedge.exe	msedge.exe
PID 2340 wrote to memory of 2448	2340	go.exe	msedge.exe
PID 2340 wrote to memory of 2448	2340	go.exe	msedge.exe
PID 2448 wrote to memory of 2892	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 2892	2448	msedge.exe	msedge.exe
PID 2340 wrote to memory of 1348	2340	go.exe	msedge.exe
PID 2340 wrote to memory of 1348	2340	go.exe	msedge.exe
PID 1348 wrote to memory of 1968	1348	msedge.exe	msedge.exe
PID 1348 wrote to memory of 1968	1348	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe
PID 2448 wrote to memory of 4204	2448	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe
"C:\Users\Admin\AppData\Local\Temp\ca0f8d0ff7eb4c1e84886a2d09f22f0516c019dc79f93ccd30cfa1773970891e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\1000042001\bf99510ac7.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\bf99510ac7.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1800

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe789e46f8,0x7ffe789e4708,0x7ffe789e4718
5⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15973265103053436536,18418977011677857139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
5⤵
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15973265103053436536,18418977011677857139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe789e46f8,0x7ffe789e4708,0x7ffe789e4718
5⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
5⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
5⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
5⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
5⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
5⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
5⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
5⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
5⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
5⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
5⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
5⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
5⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13165404215276643015,15585469254578625604,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3712 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe789e46f8,0x7ffe789e4708,0x7ffe789e4718
5⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,12571102978914469288,15056397813400718415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
5⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:4332

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:1188

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5160

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4436

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6004

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion