amadey | 5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0c0d8b8e77.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec37de2697.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0c0d8b8e77.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec37de2697.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec37de2697.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0c0d8b8e77.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svoutse.exe

Executes dropped EXE 7 IoCs

pid	Process
3116	svoutse.exe
2036	6494acf963.exe
2324	0c0d8b8e77.exe
3124	ec37de2697.exe
1568	svoutse.exe
5484	svoutse.exe
3200	svoutse.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	0c0d8b8e77.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	ec37de2697.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0002000000022aa8-26.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
3116	svoutse.exe
2324	0c0d8b8e77.exe
3124	ec37de2697.exe
1568	svoutse.exe
5484	svoutse.exe
3200	svoutse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\svoutse.job	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svoutse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6494acf963.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c0d8b8e77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec37de2697.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
3116	svoutse.exe
3116	svoutse.exe
2860	msedge.exe
2860	msedge.exe
732	msedge.exe
732	msedge.exe
2324	0c0d8b8e77.exe
2324	0c0d8b8e77.exe
3124	ec37de2697.exe
3124	ec37de2697.exe
5820	identity_helper.exe
5820	identity_helper.exe
1568	svoutse.exe
1568	svoutse.exe
5484	svoutse.exe
5484	svoutse.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
3200	svoutse.exe
3200	svoutse.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2036	6494acf963.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe
732	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
2036	6494acf963.exe
2036	6494acf963.exe
732	msedge.exe
732	msedge.exe
2036	6494acf963.exe
2036	6494acf963.exe
732	msedge.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe
2036	6494acf963.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3116	1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe	87
PID 1748 wrote to memory of 3116	1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe	87
PID 1748 wrote to memory of 3116	1748	5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe	87
PID 3116 wrote to memory of 2036	3116	svoutse.exe	89
PID 3116 wrote to memory of 2036	3116	svoutse.exe	89
PID 3116 wrote to memory of 2036	3116	svoutse.exe	89
PID 2036 wrote to memory of 732	2036	6494acf963.exe	90
PID 2036 wrote to memory of 732	2036	6494acf963.exe	90
PID 732 wrote to memory of 1020	732	msedge.exe	91
PID 732 wrote to memory of 1020	732	msedge.exe	91
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 1544	732	msedge.exe	92
PID 732 wrote to memory of 2860	732	msedge.exe	93
PID 732 wrote to memory of 2860	732	msedge.exe	93
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94
PID 732 wrote to memory of 2700	732	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe
"C:\Users\Admin\AppData\Local\Temp\5dac0bb26a5a94bab13e7f3d8c254acb93ac6f09109812c1d7893b50912ce908.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
  "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\1000015001\6494acf963.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\6494acf963.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d28546f8,0x7ff9d2854708,0x7ff9d2854718
        5⤵
        
        PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:1544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        
        PID:4412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        5⤵
        
        PID:4208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
        5⤵
        
        PID:3732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
        5⤵
        
        PID:1396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
        5⤵
        
        PID:1188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
        5⤵
        
        PID:4276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
        5⤵
        
        PID:4160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
        5⤵
        
        PID:3144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        5⤵
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        5⤵
        
        PID:4600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
        5⤵
        
        PID:3000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        5⤵
        
        PID:1220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
        5⤵
        
        PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:1680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        5⤵
        
        PID:5188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
        5⤵
        
        PID:5196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
        5⤵
        
        PID:5600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        5⤵
        
        PID:5808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
        5⤵
        
        PID:5824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
        5⤵
        
        PID:5896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
        5⤵
        
        PID:5936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
        5⤵
        
        PID:5944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
        5⤵
        
        PID:5984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
        5⤵
        
        PID:5992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
        5⤵
        
        PID:5548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
        5⤵
        
        PID:5656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
        5⤵
        
        PID:5460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
        5⤵
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:8
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10725473359078230105,4523701392542276641,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1316 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184
- - C:\Users\Admin\AppData\Roaming\1000017000\0c0d8b8e77.exe
    "C:\Users\Admin\AppData\Roaming\1000017000\0c0d8b8e77.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- - C:\Users\Admin\AppData\Roaming\1000019000\ec37de2697.exe
    "C:\Users\Admin\AppData\Roaming\1000019000\ec37de2697.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5528

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d6eafe9773f38af54e912837faf4c41c pMBgKik370ilTxF3ozd2pA.0.1.0.0.0
1⤵
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5484

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion