amadey | 16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exeamert.exeexplorgu.exe16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe507b1bc1a1.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	507b1bc1a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

65 6312 rundll32.exe
83 5688 rundll32.exe
111 6500 rundll32.exe
112 976 rundll32.exe
Downloads MZ/PE file

flow	pid	process
65	6312	rundll32.exe
83	5688	rundll32.exe
111	6500	rundll32.exe
112	976	rundll32.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorha.exeexplorgu.exe507b1bc1a1.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	507b1bc1a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	507b1bc1a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorgu.exe16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	explorha.exe

Executes dropped EXE 9 IoCs

Processes:

explorha.exe507b1bc1a1.exeexplorha.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

4664 explorha.exe
1548 507b1bc1a1.exe
1224 explorha.exe
4944 go.exe
5336 amert.exe
6268 explorha.exe
5616 explorgu.exe
6188 explorha.exe
5844 explorha.exe

pid	process
4664	explorha.exe
1548	507b1bc1a1.exe
1224	explorha.exe
4944	go.exe
5336	amert.exe
6268	explorha.exe
5616	explorgu.exe
6188	explorha.exe
5844	explorha.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exe16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe507b1bc1a1.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	507b1bc1a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

6288 rundll32.exe
6312 rundll32.exe
5688 rundll32.exe
7028 rundll32.exe
6500 rundll32.exe
976 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
6288	rundll32.exe
6312	rundll32.exe
5688	rundll32.exe
7028	rundll32.exe
6500	rundll32.exe
976	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\507b1bc1a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\507b1bc1a1.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorgu.exeexplorha.exe

pid	process
4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
4664	explorha.exe
5336	amert.exe
6268	explorha.exe
6188	explorha.exe
5616	explorgu.exe
5844	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 4664 set thread context of 1224 4664 explorha.exe explorha.exe

description	pid	process	target process
PID 4664 set thread context of 1224	4664	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exeexplorha.exerundll32.exepowershell.exeidentity_helper.exeexplorha.exeexplorgu.exerundll32.exepowershell.exemsedge.exeexplorha.exe

pid	process
4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
4664	explorha.exe
4664	explorha.exe
4956	msedge.exe
4956	msedge.exe
4000	msedge.exe
4000	msedge.exe
4740	msedge.exe
4740	msedge.exe
5668	msedge.exe
5668	msedge.exe
5336	amert.exe
5336	amert.exe
6268	explorha.exe
6268	explorha.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6312	rundll32.exe
6940	powershell.exe
6940	powershell.exe
6940	powershell.exe
6344	identity_helper.exe
6344	identity_helper.exe
6188	explorha.exe
6188	explorha.exe
5616	explorgu.exe
5616	explorgu.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6500	rundll32.exe
6404	powershell.exe
6404	powershell.exe
6404	powershell.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
5844	explorha.exe
5844	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 6940 powershell.exe
Token: SeDebugPrivilege 6404 powershell.exe

description	pid	process
Token: SeDebugPrivilege	6940	powershell.exe
Token: SeDebugPrivilege	6404	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exego.exemsedge.exeamert.exe

pid	process
4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
4944	go.exe
4944	go.exe
4944	go.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
5336	amert.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

go.exemsedge.exe

pid	process
4944	go.exe
4944	go.exe
4944	go.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4580 wrote to memory of 4664	4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe	explorha.exe
PID 4580 wrote to memory of 4664	4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe	explorha.exe
PID 4580 wrote to memory of 4664	4580	16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe	explorha.exe
PID 4664 wrote to memory of 1548	4664	explorha.exe	507b1bc1a1.exe
PID 4664 wrote to memory of 1548	4664	explorha.exe	507b1bc1a1.exe
PID 4664 wrote to memory of 1548	4664	explorha.exe	507b1bc1a1.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 1224	4664	explorha.exe	explorha.exe
PID 4664 wrote to memory of 4944	4664	explorha.exe	go.exe
PID 4664 wrote to memory of 4944	4664	explorha.exe	go.exe
PID 4664 wrote to memory of 4944	4664	explorha.exe	go.exe
PID 4944 wrote to memory of 316	4944	go.exe	msedge.exe
PID 4944 wrote to memory of 316	4944	go.exe	msedge.exe
PID 316 wrote to memory of 2268	316	msedge.exe	msedge.exe
PID 316 wrote to memory of 2268	316	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4740	4944	go.exe	msedge.exe
PID 4944 wrote to memory of 4740	4944	go.exe	msedge.exe
PID 4740 wrote to memory of 2588	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2588	4740	msedge.exe	msedge.exe
PID 4944 wrote to memory of 1052	4944	go.exe	msedge.exe
PID 4944 wrote to memory of 1052	4944	go.exe	msedge.exe
PID 1052 wrote to memory of 3000	1052	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3000	1052	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 2148	4740	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe
"C:\Users\Admin\AppData\Local\Temp\16b6e8aa549422d4d45d12498c0661535f5ee54557a48b10f5bec6d1430bcd19.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\1000042001\507b1bc1a1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\507b1bc1a1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabedb46f8,0x7ffabedb4708,0x7ffabedb4718
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5721726488517650685,9026032000078394029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        5⤵
        
        PID:4140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5721726488517650685,9026032000078394029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabedb46f8,0x7ffabedb4708,0x7ffabedb4718
        5⤵
        
        PID:2588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:2148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
        5⤵
        
        PID:4720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        5⤵
        
        PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
        5⤵
        
        PID:6024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        5⤵
        
        PID:5316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
        5⤵
        
        PID:6592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
        5⤵
        
        PID:6608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
        5⤵
        
        PID:6528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
        5⤵
        
        PID:5732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4129609834921527193,10570228413910129844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4436 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabedb46f8,0x7ffabedb4708,0x7ffabedb4718
        5⤵
        
        PID:3000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16051202374073928567,18207895064052813489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        5⤵
        
        PID:5660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16051202374073928567,18207895064052813489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5668
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5336
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:6288
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:6312
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:6576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6940
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6268

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5616
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:7028
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:6500
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6404
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:976

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6188

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion