amadey | cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HJJECBKKEC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HJJECBKKEC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HJJECBKKEC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Executes dropped EXE 5 IoCs

pid	Process
2848	explorti.exe
2740	146b1bda79.exe
5044	HJJECBKKEC.exe
2236	explorti.exe
2520	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3119450053-3073099215-1938054741-1000\Software\Wine	HJJECBKKEC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3119450053-3073099215-1938054741-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3119450053-3073099215-1938054741-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3119450053-3073099215-1938054741-1000\Software\Wine	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
Key opened	\REGISTRY\USER\S-1-5-21-3119450053-3073099215-1938054741-1000\Software\Wine	explorti.exe

Loads dropped DLL 2 IoCs

pid	Process
2740	146b1bda79.exe
2740	146b1bda79.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
2848	explorti.exe
2740	146b1bda79.exe
2740	146b1bda79.exe
2740	146b1bda79.exe
5044	HJJECBKKEC.exe
2236	explorti.exe
2520	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	146b1bda79.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	146b1bda79.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
2848	explorti.exe
2848	explorti.exe
2740	146b1bda79.exe
2740	146b1bda79.exe
1584	msedge.exe
1584	msedge.exe
4364	msedge.exe
4364	msedge.exe
2740	146b1bda79.exe
2740	146b1bda79.exe
2100	identity_helper.exe
2100	identity_helper.exe
5044	HJJECBKKEC.exe
5044	HJJECBKKEC.exe
1608	msedge.exe
1608	msedge.exe
2236	explorti.exe
2236	explorti.exe
2520	explorti.exe
2520	explorti.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	146b1bda79.exe
704	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2848	4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe	82
PID 4948 wrote to memory of 2848	4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe	82
PID 4948 wrote to memory of 2848	4948	cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe	82
PID 2848 wrote to memory of 2740	2848	explorti.exe	83
PID 2848 wrote to memory of 2740	2848	explorti.exe	83
PID 2848 wrote to memory of 2740	2848	explorti.exe	83
PID 2848 wrote to memory of 3632	2848	explorti.exe	84
PID 2848 wrote to memory of 3632	2848	explorti.exe	84
PID 2848 wrote to memory of 3632	2848	explorti.exe	84
PID 3632 wrote to memory of 4364	3632	cmd.exe	86
PID 3632 wrote to memory of 4364	3632	cmd.exe	86
PID 4364 wrote to memory of 4008	4364	msedge.exe	89
PID 4364 wrote to memory of 4008	4364	msedge.exe	89
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 2964	4364	msedge.exe	90
PID 4364 wrote to memory of 1584	4364	msedge.exe	91
PID 4364 wrote to memory of 1584	4364	msedge.exe	91
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92
PID 4364 wrote to memory of 1764	4364	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe
"C:\Users\Admin\AppData\Local\Temp\cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\1000006001\146b1bda79.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\146b1bda79.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJECBKKEC.exe"
      4⤵
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\HJJECBKKEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJJECBKKEC.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDAAFBGDBK.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\71bb58696e.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8945b3cb8,0x7ff8945b3cc8,0x7ff8945b3cd8
        5⤵
        
        PID:4008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
        5⤵
        
        PID:2964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
        5⤵
        
        PID:1764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        5⤵
        
        PID:4280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:1124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
        5⤵
        
        PID:3912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        5⤵
        
        PID:1344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
        5⤵
        
        PID:4284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
        5⤵
        
        PID:4972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
        5⤵
        
        PID:3388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,11804881910328594554,12496299256030107196,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1708 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion