amadey | 29c4ad548b256164b8a892c659bd38f94fde34b63e412059a04098daa5c32653

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d95a35cf969288d0d43e4b54f6d3db20N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	73a67bce72.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8380d55f3a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d95a35cf969288d0d43e4b54f6d3db20N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73a67bce72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8380d55f3a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8380d55f3a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d95a35cf969288d0d43e4b54f6d3db20N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	73a67bce72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	d95a35cf969288d0d43e4b54f6d3db20N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svoutse.exe

Executes dropped EXE 6 IoCs

pid	Process
1376	svoutse.exe
2084	b2eedcf053.exe
5168	73a67bce72.exe
6340	8380d55f3a.exe
2256	svoutse.exe
6324	svoutse.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	73a67bce72.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	8380d55f3a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	d95a35cf969288d0d43e4b54f6d3db20N.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000235f3-26.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4284	d95a35cf969288d0d43e4b54f6d3db20N.exe
1376	svoutse.exe
5168	73a67bce72.exe
6340	8380d55f3a.exe
2256	svoutse.exe
6324	svoutse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\svoutse.job	d95a35cf969288d0d43e4b54f6d3db20N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d95a35cf969288d0d43e4b54f6d3db20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svoutse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2eedcf053.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a67bce72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8380d55f3a.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693697733974855"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{613078A1-FB03-4963-A310-790B7BEDE53E}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4284	d95a35cf969288d0d43e4b54f6d3db20N.exe
4284	d95a35cf969288d0d43e4b54f6d3db20N.exe
1376	svoutse.exe
1376	svoutse.exe
5168	73a67bce72.exe
5168	73a67bce72.exe
6340	8380d55f3a.exe
6340	8380d55f3a.exe
2256	svoutse.exe
2256	svoutse.exe
5044	msedge.exe
5044	msedge.exe
6324	svoutse.exe
6324	svoutse.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	b2eedcf053.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4284	d95a35cf969288d0d43e4b54f6d3db20N.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
5044	msedge.exe
5044	msedge.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe
2084	b2eedcf053.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1376	4284	d95a35cf969288d0d43e4b54f6d3db20N.exe	94
PID 4284 wrote to memory of 1376	4284	d95a35cf969288d0d43e4b54f6d3db20N.exe	94
PID 4284 wrote to memory of 1376	4284	d95a35cf969288d0d43e4b54f6d3db20N.exe	94
PID 1376 wrote to memory of 2084	1376	svoutse.exe	96
PID 1376 wrote to memory of 2084	1376	svoutse.exe	96
PID 1376 wrote to memory of 2084	1376	svoutse.exe	96
PID 2084 wrote to memory of 5044	2084	b2eedcf053.exe	97
PID 2084 wrote to memory of 5044	2084	b2eedcf053.exe	97
PID 5044 wrote to memory of 2608	5044	msedge.exe	98
PID 5044 wrote to memory of 2608	5044	msedge.exe	98
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4344	5044	msedge.exe	99
PID 5044 wrote to memory of 4332	5044	msedge.exe	100
PID 5044 wrote to memory of 4332	5044	msedge.exe	100
PID 5044 wrote to memory of 4636	5044	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\d95a35cf969288d0d43e4b54f6d3db20N.exe
"C:\Users\Admin\AppData\Local\Temp\d95a35cf969288d0d43e4b54f6d3db20N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
  "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\1000015001\b2eedcf053.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\b2eedcf053.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffe9823d198,0x7ffe9823d1a4,0x7ffe9823d1b0
        5⤵
        
        PID:2608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2244,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
        5⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1948,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        
        PID:4332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2292,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:8
        5⤵
        
        PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3380,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3404,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
        5⤵
        
        PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4492,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:1
        5⤵
        
        PID:3688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:2
        5⤵
        
        PID:3256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4808,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4820 /prefetch:1
        5⤵
        
        PID:2812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4876,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:2
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4968,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:2
        5⤵
        
        PID:3740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4000,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:2
        5⤵
        
        PID:4536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5440,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5456,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:2
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5508,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5688 /prefetch:1
        5⤵
        
        PID:408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5520,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:2
        5⤵
        
        PID:5132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5504,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:1
        5⤵
        
        PID:5140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5656,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:2
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5640,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:1
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5668,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:2
        5⤵
        
        PID:5184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5512,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:1
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6068,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:2
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7376,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:1
        5⤵
        
        PID:6132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7356,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7392 /prefetch:1
        5⤵
        
        PID:6140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5488,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7304 /prefetch:1
        5⤵
        
        PID:944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7612,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
        5⤵
        
        PID:4388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7744,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7756 /prefetch:1
        5⤵
        
        PID:3936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6152,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5960 /prefetch:1
        5⤵
        
        PID:1888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7276,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7920 /prefetch:1
        5⤵
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=7952,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:8
        5⤵
        
        PID:312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7636,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:8
        5⤵
        
        PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7636,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:8
        5⤵
        
        PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8
        5⤵
        
        PID:6468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5820,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        
        PID:6476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6516,i,9722243511825703495,7160731874075245174,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
        5⤵
        
        PID:1968
- - C:\Users\Admin\AppData\Roaming\1000017000\73a67bce72.exe
    "C:\Users\Admin\AppData\Roaming\1000017000\73a67bce72.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5168
- - C:\Users\Admin\AppData\Roaming\1000019000\8380d55f3a.exe
    "C:\Users\Admin\AppData\Roaming\1000019000\8380d55f3a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion