amadey | 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BAKKEGCAAE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BAKKEGCAAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BAKKEGCAAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	BAKKEGCAAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	explorti.exe

Executes dropped EXE 6 IoCs

pid	Process
3252	BAKKEGCAAE.exe
780	explorti.exe
2380	82e5237dde.exe
2452	explorti.exe
4460	explorti.exe
4588	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	BAKKEGCAAE.exe

Loads dropped DLL 2 IoCs

pid	Process
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
3252	BAKKEGCAAE.exe
780	explorti.exe
2380	82e5237dde.exe
2452	explorti.exe
4460	explorti.exe
4588	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	BAKKEGCAAE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
3252	BAKKEGCAAE.exe
3252	BAKKEGCAAE.exe
780	explorti.exe
780	explorti.exe
740	msedge.exe
740	msedge.exe
756	msedge.exe
756	msedge.exe
1356	identity_helper.exe
1356	identity_helper.exe
2452	explorti.exe
2452	explorti.exe
4460	explorti.exe
4460	explorti.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4588	explorti.exe
4588	explorti.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3252	BAKKEGCAAE.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
3636	cmd.exe
2380	82e5237dde.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4204	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	84
PID 216 wrote to memory of 4204	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	84
PID 216 wrote to memory of 4204	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	84
PID 216 wrote to memory of 3636	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	85
PID 216 wrote to memory of 3636	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	85
PID 216 wrote to memory of 3636	216	179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe	85
PID 4204 wrote to memory of 3252	4204	cmd.exe	88
PID 4204 wrote to memory of 3252	4204	cmd.exe	88
PID 4204 wrote to memory of 3252	4204	cmd.exe	88
PID 3252 wrote to memory of 780	3252	BAKKEGCAAE.exe	89
PID 3252 wrote to memory of 780	3252	BAKKEGCAAE.exe	89
PID 3252 wrote to memory of 780	3252	BAKKEGCAAE.exe	89
PID 780 wrote to memory of 2380	780	explorti.exe	90
PID 780 wrote to memory of 2380	780	explorti.exe	90
PID 780 wrote to memory of 2380	780	explorti.exe	90
PID 780 wrote to memory of 1448	780	explorti.exe	91
PID 780 wrote to memory of 1448	780	explorti.exe	91
PID 780 wrote to memory of 1448	780	explorti.exe	91
PID 1448 wrote to memory of 756	1448	cmd.exe	93
PID 1448 wrote to memory of 756	1448	cmd.exe	93
PID 756 wrote to memory of 2376	756	msedge.exe	95
PID 756 wrote to memory of 2376	756	msedge.exe	95
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 1176	756	msedge.exe	96
PID 756 wrote to memory of 740	756	msedge.exe	97
PID 756 wrote to memory of 740	756	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe
"C:\Users\Admin\AppData\Local\Temp\179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAKKEGCAAE.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\BAKKEGCAAE.exe
    "C:\Users\Admin\AppData\Local\Temp\BAKKEGCAAE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\82e5237dde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\82e5237dde.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\94982dcb44.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff93e5146f8,0x7ff93e514708,0x7ff93e514718
        7⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
        7⤵
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
        7⤵
        
        PID:1288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        7⤵
        
        PID:2024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
        7⤵
        
        PID:3824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        7⤵
        
        PID:992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        7⤵
        
        PID:1376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
        7⤵
        
        PID:3960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        7⤵
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,14911759702774596722,7141024526409901413,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion