amadey | b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exevXbOe0IOrFqOJ3RBX7tj.exeexplorha.exe5JVua4DaMoZkTEvuxZBj.exeexplorha.exeexplorha.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vXbOe0IOrFqOJ3RBX7tj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5JVua4DaMoZkTEvuxZBj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow	pid	Process
114	732	rundll32.exe
115	5128	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

5JVua4DaMoZkTEvuxZBj.exeexplorha.exeexplorha.exevXbOe0IOrFqOJ3RBX7tj.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5JVua4DaMoZkTEvuxZBj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vXbOe0IOrFqOJ3RBX7tj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5JVua4DaMoZkTEvuxZBj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vXbOe0IOrFqOJ3RBX7tj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

conan.exevXbOe0IOrFqOJ3RBX7tj.exeexplorha.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	conan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	vXbOe0IOrFqOJ3RBX7tj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explorha.exe

Drops startup file 1 IoCs

Processes:

conan.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	conan.exe

Executes dropped EXE 8 IoCs

Processes:

vXbOe0IOrFqOJ3RBX7tj.exepDMNvQfde2FIEHTlZsFc.exeexplorha.exe5JVua4DaMoZkTEvuxZBj.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

pid	Process
3888	vXbOe0IOrFqOJ3RBX7tj.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
1216	explorha.exe
6104	5JVua4DaMoZkTEvuxZBj.exe
4280	explorha.exe
4476	explorha.exe
3256	explorha.exe
4388	explorha.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exeexplorha.exeexplorha.exevXbOe0IOrFqOJ3RBX7tj.exeexplorha.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	vXbOe0IOrFqOJ3RBX7tj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	Process
5680	rundll32.exe
732	rundll32.exe
5128	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000700000002324b-204.dat	themida
behavioral1/memory/6104-243-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-244-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-245-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-246-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-250-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-255-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-269-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-264-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-272-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida
behavioral1/memory/6104-441-0x00000000005B0000-0x0000000000D56000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

conan.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

conan.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c\\AdobeUpdaterV131.exe"	conan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

5JVua4DaMoZkTEvuxZBj.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5JVua4DaMoZkTEvuxZBj.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	ipinfo.io
20	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x0006000000023234-110.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vXbOe0IOrFqOJ3RBX7tj.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

pid	Process
3888	vXbOe0IOrFqOJ3RBX7tj.exe
1216	explorha.exe
4280	explorha.exe
4476	explorha.exe
3256	explorha.exe
4388	explorha.exe

Drops file in Windows directory 1 IoCs

Processes:

vXbOe0IOrFqOJ3RBX7tj.exe

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	vXbOe0IOrFqOJ3RBX7tj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
372	1580	WerFault.exe	86

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

conan.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conan.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
5472	schtasks.exe
5912	schtasks.exe
1416	schtasks.exe
644	schtasks.exe
3400	schtasks.exe
592	schtasks.exe
3052	schtasks.exe
4268	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

conan.exevXbOe0IOrFqOJ3RBX7tj.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exerundll32.exepowershell.exeexplorha.exeexplorha.exemsedge.exeexplorha.exeexplorha.exe

pid	Process
1580	conan.exe
1580	conan.exe
3888	vXbOe0IOrFqOJ3RBX7tj.exe
3888	vXbOe0IOrFqOJ3RBX7tj.exe
1216	explorha.exe
1216	explorha.exe
3344	msedge.exe
3344	msedge.exe
4980	msedge.exe
4980	msedge.exe
5508	msedge.exe
5508	msedge.exe
5684	msedge.exe
5684	msedge.exe
5852	identity_helper.exe
5852	identity_helper.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
732	rundll32.exe
3400	powershell.exe
3400	powershell.exe
3400	powershell.exe
4280	explorha.exe
4280	explorha.exe
4476	explorha.exe
4476	explorha.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3256	explorha.exe
3256	explorha.exe
4388	explorha.exe
4388	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	Process
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3400	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

pDMNvQfde2FIEHTlZsFc.exemsedge.exe

pid	Process
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

pDMNvQfde2FIEHTlZsFc.exemsedge.exe

pid	Process
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
2248	pDMNvQfde2FIEHTlZsFc.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

conan.exevXbOe0IOrFqOJ3RBX7tj.exepDMNvQfde2FIEHTlZsFc.exemsedge.exemsedge.exemsedge.exe

description	pid	Process	procid_target
PID 1580 wrote to memory of 1416	1580	conan.exe	87
PID 1580 wrote to memory of 1416	1580	conan.exe	87
PID 1580 wrote to memory of 1416	1580	conan.exe	87
PID 1580 wrote to memory of 644	1580	conan.exe	89
PID 1580 wrote to memory of 644	1580	conan.exe	89
PID 1580 wrote to memory of 644	1580	conan.exe	89
PID 1580 wrote to memory of 3400	1580	conan.exe	98
PID 1580 wrote to memory of 3400	1580	conan.exe	98
PID 1580 wrote to memory of 3400	1580	conan.exe	98
PID 1580 wrote to memory of 592	1580	conan.exe	100
PID 1580 wrote to memory of 592	1580	conan.exe	100
PID 1580 wrote to memory of 592	1580	conan.exe	100
PID 1580 wrote to memory of 3888	1580	conan.exe	102
PID 1580 wrote to memory of 3888	1580	conan.exe	102
PID 1580 wrote to memory of 3888	1580	conan.exe	102
PID 1580 wrote to memory of 3052	1580	conan.exe	103
PID 1580 wrote to memory of 3052	1580	conan.exe	103
PID 1580 wrote to memory of 3052	1580	conan.exe	103
PID 1580 wrote to memory of 4268	1580	conan.exe	105
PID 1580 wrote to memory of 4268	1580	conan.exe	105
PID 1580 wrote to memory of 4268	1580	conan.exe	105
PID 1580 wrote to memory of 2248	1580	conan.exe	108
PID 1580 wrote to memory of 2248	1580	conan.exe	108
PID 1580 wrote to memory of 2248	1580	conan.exe	108
PID 3888 wrote to memory of 1216	3888	vXbOe0IOrFqOJ3RBX7tj.exe	109
PID 3888 wrote to memory of 1216	3888	vXbOe0IOrFqOJ3RBX7tj.exe	109
PID 3888 wrote to memory of 1216	3888	vXbOe0IOrFqOJ3RBX7tj.exe	109
PID 2248 wrote to memory of 4980	2248	pDMNvQfde2FIEHTlZsFc.exe	110
PID 2248 wrote to memory of 4980	2248	pDMNvQfde2FIEHTlZsFc.exe	110
PID 4980 wrote to memory of 2456	4980	msedge.exe	112
PID 4980 wrote to memory of 2456	4980	msedge.exe	112
PID 2248 wrote to memory of 4888	2248	pDMNvQfde2FIEHTlZsFc.exe	113
PID 2248 wrote to memory of 4888	2248	pDMNvQfde2FIEHTlZsFc.exe	113
PID 4888 wrote to memory of 1056	4888	msedge.exe	114
PID 4888 wrote to memory of 1056	4888	msedge.exe	114
PID 2248 wrote to memory of 1932	2248	pDMNvQfde2FIEHTlZsFc.exe	115
PID 2248 wrote to memory of 1932	2248	pDMNvQfde2FIEHTlZsFc.exe	115
PID 1932 wrote to memory of 1316	1932	msedge.exe	116
PID 1932 wrote to memory of 1316	1932	msedge.exe	116
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117
PID 4980 wrote to memory of 3968	4980	msedge.exe	117

outlook_office_path 1 IoCs

Processes:

conan.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

outlook_win_path 1 IoCs

Processes:

conan.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

C:\Users\Admin\AppData\Local\Temp\conan.exe
"C:\Users\Admin\AppData\Local\Temp\conan.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:592
- C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\vXbOe0IOrFqOJ3RBX7tj.exe
  "C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\vXbOe0IOrFqOJ3RBX7tj.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:5680
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:732
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:5484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:5128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\pDMNvQfde2FIEHTlZsFc.exe
  "C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\pDMNvQfde2FIEHTlZsFc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee94718
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:2576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:2424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
      4⤵
      PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:6076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      PID:3972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
      4⤵
      PID:5336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
      4⤵
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee94718
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12164434068693872930,12129800140860022836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee94718
      4⤵
      PID:1316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8347799521481178533,6511208524997219383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5912
- C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\5JVua4DaMoZkTEvuxZBj.exe
  "C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\5JVua4DaMoZkTEvuxZBj.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:6104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 2244
  2⤵
  - Program crash
  PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1580 -ip 1580
1⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion