amadey | e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EHIDAKECFI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EHIDAKECFI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EHIDAKECFI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Executes dropped EXE 5 IoCs

pid	Process
684	explorti.exe
672	7cf54894d1.exe
1228	EHIDAKECFI.exe
2396	explorti.exe
2044	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine	EHIDAKECFI.exe
Key opened	\REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine	explorti.exe

Loads dropped DLL 2 IoCs

pid	Process
672	7cf54894d1.exe
672	7cf54894d1.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
684	explorti.exe
672	7cf54894d1.exe
672	7cf54894d1.exe
1228	EHIDAKECFI.exe
2396	explorti.exe
2044	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7cf54894d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7cf54894d1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
684	explorti.exe
684	explorti.exe
672	7cf54894d1.exe
672	7cf54894d1.exe
1840	msedge.exe
1840	msedge.exe
1588	msedge.exe
1588	msedge.exe
672	7cf54894d1.exe
672	7cf54894d1.exe
1228	EHIDAKECFI.exe
1228	EHIDAKECFI.exe
8	msedge.exe
8	msedge.exe
3552	identity_helper.exe
3552	identity_helper.exe
2396	explorti.exe
2396	explorti.exe
2044	explorti.exe
2044	explorti.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
672	7cf54894d1.exe
3032	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 684	1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	82
PID 1896 wrote to memory of 684	1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	82
PID 1896 wrote to memory of 684	1896	e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe	82
PID 684 wrote to memory of 672	684	explorti.exe	83
PID 684 wrote to memory of 672	684	explorti.exe	83
PID 684 wrote to memory of 672	684	explorti.exe	83
PID 684 wrote to memory of 3552	684	explorti.exe	84
PID 684 wrote to memory of 3552	684	explorti.exe	84
PID 684 wrote to memory of 3552	684	explorti.exe	84
PID 3552 wrote to memory of 1588	3552	cmd.exe	86
PID 3552 wrote to memory of 1588	3552	cmd.exe	86
PID 1588 wrote to memory of 1860	1588	msedge.exe	89
PID 1588 wrote to memory of 1860	1588	msedge.exe	89
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 5024	1588	msedge.exe	90
PID 1588 wrote to memory of 1840	1588	msedge.exe	91
PID 1588 wrote to memory of 1840	1588	msedge.exe	91
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92
PID 1588 wrote to memory of 2788	1588	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe
"C:\Users\Admin\AppData\Local\Temp\e106c7d47aa2546fb2a2f53a0ec26cc5beb1c39eb4d50927d35bb03ad3b211ff.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\1000006001\7cf54894d1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\7cf54894d1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHIDAKECFI.exe"
      4⤵
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\EHIDAKECFI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EHIDAKECFI.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGCAAFBFB.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\2302cbeabe.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb44c63cb8,0x7ffb44c63cc8,0x7ffb44c63cd8
        5⤵
        
        PID:1860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
        5⤵
        
        PID:5024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
        5⤵
        
        PID:2788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        5⤵
        
        PID:2088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
        5⤵
        
        PID:2760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
        5⤵
        
        PID:3968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
        5⤵
        
        PID:4444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
        5⤵
        
        PID:876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,5962285622434272267,5384372294122794933,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5432 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion