amadey | 647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b119216496.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1db96254f4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1db96254f4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b119216496.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b119216496.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1db96254f4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	1db96254f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	a24741aa59.exe

Executes dropped EXE 10 IoCs

pid	Process
1584	explortu.exe
4508	1db96254f4.exe
1056	explortu.exe
1600	axplong.exe
3936	b119216496.exe
3188	a24741aa59.exe
4772	axplong.exe
1156	explortu.exe
5292	explortu.exe
5240	axplong.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	1db96254f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	b119216496.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b119216496.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\b119216496.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000002355b-81.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
1584	explortu.exe
4508	1db96254f4.exe
1056	explortu.exe
1600	axplong.exe
3936	b119216496.exe
4772	axplong.exe
1156	explortu.exe
5240	axplong.exe
5292	explortu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
File created	C:\Windows\Tasks\axplong.job	1db96254f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632825702527437"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{BE477E77-F194-4795-9B48-87EBF0DB69CF}	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
1584	explortu.exe
1584	explortu.exe
4508	1db96254f4.exe
4508	1db96254f4.exe
1056	explortu.exe
1056	explortu.exe
1600	axplong.exe
1600	axplong.exe
3936	b119216496.exe
3936	b119216496.exe
384	chrome.exe
384	chrome.exe
4772	axplong.exe
4772	axplong.exe
1156	explortu.exe
1156	explortu.exe
5240	axplong.exe
5240	axplong.exe
5292	explortu.exe
5292	explortu.exe
4024	chrome.exe
4024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4508	1db96254f4.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
384	chrome.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe
3188	a24741aa59.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1584	3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe	92
PID 3780 wrote to memory of 1584	3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe	92
PID 3780 wrote to memory of 1584	3780	647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe	92
PID 1584 wrote to memory of 1020	1584	explortu.exe	97
PID 1584 wrote to memory of 1020	1584	explortu.exe	97
PID 1584 wrote to memory of 1020	1584	explortu.exe	97
PID 1584 wrote to memory of 4508	1584	explortu.exe	100
PID 1584 wrote to memory of 4508	1584	explortu.exe	100
PID 1584 wrote to memory of 4508	1584	explortu.exe	100
PID 4508 wrote to memory of 1600	4508	1db96254f4.exe	102
PID 4508 wrote to memory of 1600	4508	1db96254f4.exe	102
PID 4508 wrote to memory of 1600	4508	1db96254f4.exe	102
PID 1584 wrote to memory of 3936	1584	explortu.exe	104
PID 1584 wrote to memory of 3936	1584	explortu.exe	104
PID 1584 wrote to memory of 3936	1584	explortu.exe	104
PID 1584 wrote to memory of 3188	1584	explortu.exe	106
PID 1584 wrote to memory of 3188	1584	explortu.exe	106
PID 1584 wrote to memory of 3188	1584	explortu.exe	106
PID 3188 wrote to memory of 384	3188	a24741aa59.exe	107
PID 3188 wrote to memory of 384	3188	a24741aa59.exe	107
PID 384 wrote to memory of 4032	384	chrome.exe	109
PID 384 wrote to memory of 4032	384	chrome.exe	109
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4572	384	chrome.exe	110
PID 384 wrote to memory of 4396	384	chrome.exe	111
PID 384 wrote to memory of 4396	384	chrome.exe	111
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112
PID 384 wrote to memory of 1472	384	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe
"C:\Users\Admin\AppData\Local\Temp\647f2d3d12ea7cc0d0f12798b9fb94aebfc0ece303700351d2bbeaa48bd39904.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1020
- - C:\Users\Admin\1000015002\1db96254f4.exe
    "C:\Users\Admin\1000015002\1db96254f4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\1000016001\b119216496.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\b119216496.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\1000017001\a24741aa59.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\a24741aa59.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca8eaab58,0x7ffca8eaab68,0x7ffca8eaab78
        5⤵
        
        PID:4032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:2
        5⤵
        
        PID:4572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:4396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:1472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2520 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:1
        5⤵
        
        PID:5152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:1
        5⤵
        
        PID:5160
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:1
        5⤵
        
        PID:5628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4496 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:1
        5⤵
        
        PID:5736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3948 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:5848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:5856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:6120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:5388
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:8
        5⤵
        
        PID:4280
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 --field-trial-handle=1932,i,2187390252584750620,2799225411019031153,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion