amadey | e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IJEBKKEGDB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IJEBKKEGDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IJEBKKEGDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	358bfcef5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1416	explorti.exe
2664	358bfcef5b.exe
2716	IJEBKKEGDB.exe
3764	explorti.exe
2584	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine	IJEBKKEGDB.exe
Key opened	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine	explorti.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	358bfcef5b.exe
2664	358bfcef5b.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
1416	explorti.exe
2664	358bfcef5b.exe
2664	358bfcef5b.exe
2716	IJEBKKEGDB.exe
3764	explorti.exe
2584	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	358bfcef5b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	358bfcef5b.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
1416	explorti.exe
1416	explorti.exe
2664	358bfcef5b.exe
2664	358bfcef5b.exe
4336	msedge.exe
4336	msedge.exe
976	msedge.exe
976	msedge.exe
2664	358bfcef5b.exe
2664	358bfcef5b.exe
3236	identity_helper.exe
3236	identity_helper.exe
2716	IJEBKKEGDB.exe
2716	IJEBKKEGDB.exe
3764	explorti.exe
3764	explorti.exe
2584	explorti.exe
2584	explorti.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	358bfcef5b.exe
3276	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1416	2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	85
PID 2756 wrote to memory of 1416	2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	85
PID 2756 wrote to memory of 1416	2756	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	85
PID 1416 wrote to memory of 2664	1416	explorti.exe	86
PID 1416 wrote to memory of 2664	1416	explorti.exe	86
PID 1416 wrote to memory of 2664	1416	explorti.exe	86
PID 1416 wrote to memory of 2604	1416	explorti.exe	87
PID 1416 wrote to memory of 2604	1416	explorti.exe	87
PID 1416 wrote to memory of 2604	1416	explorti.exe	87
PID 2604 wrote to memory of 976	2604	cmd.exe	89
PID 2604 wrote to memory of 976	2604	cmd.exe	89
PID 976 wrote to memory of 1124	976	msedge.exe	91
PID 976 wrote to memory of 1124	976	msedge.exe	91
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4392	976	msedge.exe	92
PID 976 wrote to memory of 4336	976	msedge.exe	93
PID 976 wrote to memory of 4336	976	msedge.exe	93
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94
PID 976 wrote to memory of 4112	976	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
"C:\Users\Admin\AppData\Local\Temp\e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\1000006001\358bfcef5b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\358bfcef5b.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJEBKKEGDB.exe"
      4⤵
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\IJEBKKEGDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IJEBKKEGDB.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAKEBGIID.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\8154c775fc.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7fffa5be46f8,0x7fffa5be4708,0x7fffa5be4718
        5⤵
        
        PID:1124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3056 /prefetch:8
        5⤵
        
        PID:4112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
        5⤵
        
        PID:5096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        5⤵
        
        PID:3524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
        5⤵
        
        PID:4304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        5⤵
        
        PID:2380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        5⤵
        
        PID:724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        5⤵
        
        PID:4108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        5⤵
        
        PID:2616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        
        PID:1304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6835008375277774028,1328697642691418600,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2932 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion