amadey | b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	u8frcVVDI6sXvEJHPjLj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PbdS7oLPWBmLc719hHgb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d3afcbba3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
185	4476	rundll32.exe
169	5376	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d3afcbba3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d3afcbba3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	conan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explorha.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	conan.exe

Executes dropped EXE 9 IoCs

pid	Process
4224	u8frcVVDI6sXvEJHPjLj.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4456	explorha.exe
32	PbdS7oLPWBmLc719hHgb.exe
2244	2d3afcbba3.exe
4440	go.exe
2020	amert.exe
5228	explorha.exe
5260	explorgu.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	u8frcVVDI6sXvEJHPjLj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorgu.exe

Loads dropped DLL 3 IoCs

pid	Process
760	rundll32.exe
4476	rundll32.exe
5376	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000200000001e6f9-172.dat	themida
behavioral2/memory/32-207-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-208-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-209-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-218-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-219-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-220-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-221-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-222-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-224-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/2244-234-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-235-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-236-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-237-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-238-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-239-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-240-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-241-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-242-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/32-250-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/2244-283-0x00000000000F0000-0x000000000088E000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2d3afcbba3.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ipinfo.io
46	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002326c-125.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4224	u8frcVVDI6sXvEJHPjLj.exe
4456	explorha.exe
2020	amert.exe
5260	explorgu.exe
5228	explorha.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\explorha.job	u8frcVVDI6sXvEJHPjLj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3580	460	WerFault.exe	90

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conan.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4896	schtasks.exe
1236	schtasks.exe
3344	schtasks.exe
2488	schtasks.exe
2472	schtasks.exe
5096	schtasks.exe
956	schtasks.exe
1008	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A78E9027-BBE1-42B7-BD4A-674EE82DB382}	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
4456	explorha.exe
4456	explorha.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
2020	amert.exe
2020	amert.exe
5260	explorgu.exe
5260	explorgu.exe
5228	explorha.exe
5228	explorha.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	powershell.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4440	go.exe
4440	go.exe
4440	go.exe
4440	go.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4440	go.exe
4440	go.exe
4440	go.exe
4440	go.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1236	460	conan.exe	102
PID 460 wrote to memory of 1236	460	conan.exe	102
PID 460 wrote to memory of 1236	460	conan.exe	102
PID 460 wrote to memory of 3344	460	conan.exe	104
PID 460 wrote to memory of 3344	460	conan.exe	104
PID 460 wrote to memory of 3344	460	conan.exe	104
PID 460 wrote to memory of 2488	460	conan.exe	108
PID 460 wrote to memory of 2488	460	conan.exe	108
PID 460 wrote to memory of 2488	460	conan.exe	108
PID 460 wrote to memory of 2472	460	conan.exe	110
PID 460 wrote to memory of 2472	460	conan.exe	110
PID 460 wrote to memory of 2472	460	conan.exe	110
PID 460 wrote to memory of 4224	460	conan.exe	112
PID 460 wrote to memory of 4224	460	conan.exe	112
PID 460 wrote to memory of 4224	460	conan.exe	112
PID 460 wrote to memory of 5096	460	conan.exe	113
PID 460 wrote to memory of 5096	460	conan.exe	113
PID 460 wrote to memory of 5096	460	conan.exe	113
PID 460 wrote to memory of 956	460	conan.exe	115
PID 460 wrote to memory of 956	460	conan.exe	115
PID 460 wrote to memory of 956	460	conan.exe	115
PID 460 wrote to memory of 2244	460	conan.exe	137
PID 460 wrote to memory of 2244	460	conan.exe	137
PID 460 wrote to memory of 2244	460	conan.exe	137
PID 2244 wrote to memory of 2188	2244	o4crizxIYyBXjlrNHB8A.exe	118
PID 2244 wrote to memory of 2188	2244	o4crizxIYyBXjlrNHB8A.exe	118
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	120
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	120
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	120
PID 2244 wrote to memory of 2588	2244	o4crizxIYyBXjlrNHB8A.exe	121
PID 2244 wrote to memory of 2588	2244	o4crizxIYyBXjlrNHB8A.exe	121
PID 2244 wrote to memory of 5116	2244	o4crizxIYyBXjlrNHB8A.exe	126
PID 2244 wrote to memory of 5116	2244	o4crizxIYyBXjlrNHB8A.exe	126
PID 460 wrote to memory of 1008	460	conan.exe	129
PID 460 wrote to memory of 1008	460	conan.exe	129
PID 460 wrote to memory of 1008	460	conan.exe	129
PID 460 wrote to memory of 4896	460	conan.exe	134
PID 460 wrote to memory of 4896	460	conan.exe	134
PID 460 wrote to memory of 4896	460	conan.exe	134
PID 460 wrote to memory of 32	460	conan.exe	136
PID 460 wrote to memory of 32	460	conan.exe	136
PID 460 wrote to memory of 32	460	conan.exe	136
PID 4456 wrote to memory of 2244	4456	explorha.exe	137
PID 4456 wrote to memory of 2244	4456	explorha.exe	137
PID 4456 wrote to memory of 2244	4456	explorha.exe	137
PID 4456 wrote to memory of 760	4456	explorha.exe	141
PID 4456 wrote to memory of 760	4456	explorha.exe	141
PID 4456 wrote to memory of 760	4456	explorha.exe	141
PID 760 wrote to memory of 4476	760	rundll32.exe	142
PID 760 wrote to memory of 4476	760	rundll32.exe	142
PID 4476 wrote to memory of 1984	4476	rundll32.exe	143
PID 4476 wrote to memory of 1984	4476	rundll32.exe	143
PID 4456 wrote to memory of 4104	4456	explorha.exe	145
PID 4456 wrote to memory of 4104	4456	explorha.exe	145
PID 4456 wrote to memory of 4104	4456	explorha.exe	145
PID 4456 wrote to memory of 4440	4456	explorha.exe	146
PID 4456 wrote to memory of 4440	4456	explorha.exe	146
PID 4456 wrote to memory of 4440	4456	explorha.exe	146
PID 4440 wrote to memory of 3276	4440	go.exe	147
PID 4440 wrote to memory of 3276	4440	go.exe	147
PID 4440 wrote to memory of 4248	4440	go.exe	148
PID 4440 wrote to memory of 4248	4440	go.exe	148
PID 4440 wrote to memory of 2368	4440	go.exe	149
PID 4440 wrote to memory of 2368	4440	go.exe	149

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

C:\Users\Admin\AppData\Local\Temp\conan.exe
"C:\Users\Admin\AppData\Local\Temp\conan.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:460
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\u8frcVVDI6sXvEJHPjLj.exe
  "C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\u8frcVVDI6sXvEJHPjLj.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\1000042001\2d3afcbba3.exe
      "C:\Users\Admin\AppData\Local\Temp\1000042001\2d3afcbba3.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:2244
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:1984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
      "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        5⤵
        
        PID:3276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
        5⤵
        
        PID:4248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
      "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2020
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:5376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:956
- C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\o4crizxIYyBXjlrNHB8A.exe
  "C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\o4crizxIYyBXjlrNHB8A.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:5116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\PbdS7oLPWBmLc719hHgb.exe
  "C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\PbdS7oLPWBmLc719hHgb.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 2140
  2⤵
  - Program crash
  PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:3
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3484 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4948 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4104 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5876 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5868 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6444 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 460 -ip 460
1⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5228

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion