mercurialgrabber | hxxps://github[.]com/xsplitst/RGF/archive/refs/heads/main[.]zip

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
70	5828	Process not Found

Looks for VMWare Tools registry key 2 TTPs 8 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
92	discord.com
105	discord.com
106	discord.com
56	discord.com
78	discord.com
107	discord.com
61	discord.com
97	discord.com
95	discord.com
69	discord.com
76	discord.com
98	discord.com
100	discord.com
101	discord.com
104	discord.com
67	discord.com
75	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip4.seeip.org
53	ip-api.com
89	ip-api.com

Maps connected drives based on registry 3 TTPs 16 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5644	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\.md\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\୮泷㍤耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\.md	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\md_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\୮泷㍤耀\ = "md_auto_file"	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5272	NOTEPAD.EXE
5996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
4572	msedge.exe
4572	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
5212	sdiagnhost.exe
5212	sdiagnhost.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4856	msdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	RBF.exe
Token: SeDebugPrivilege	4072	RBF.exe
Token: SeDebugPrivilege	2360	RBF.exe
Token: SeDebugPrivilege	5512	RBF.exe
Token: SeDebugPrivilege	5712	RBF.exe
Token: SeDebugPrivilege	5364	RBF.exe
Token: SeDebugPrivilege	5212	sdiagnhost.exe
Token: SeDebugPrivilege	4808	RBF.exe
Token: SeDebugPrivilege	2868	RBF.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4856	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe
5196	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4768	4572	msedge.exe	86
PID 4572 wrote to memory of 4768	4572	msedge.exe	86
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 4460	4572	msedge.exe	87
PID 4572 wrote to memory of 2520	4572	msedge.exe	88
PID 4572 wrote to memory of 2520	4572	msedge.exe	88
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89
PID 4572 wrote to memory of 1200	4572	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/xsplitst/RGF/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e98a46f8,0x7ff8e98a4708,0x7ff8e98a4718
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,6253683789130042032,8709977067866741167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5196
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Input.zip\RoBrute-master\README.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5272

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTU4QTlEMkMtQTU4My00NjAxLTk2QzQtMUVCQjA2OEI3REM3fSIgdXNlcmlkPSJ7RTRFMjk0QUItMDFBNS00ODU5LUE2NzItODczNEI0OEQzMTU0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTM5REI3NEEtN0QxQy00MjIwLUIxQUMtQ0M4RDU5MzRFODdEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTU3NDM4MTA4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Input.zip\RoBrute-master\requirements.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RGF-main\RGF-main\README.md
1⤵
PID:4860

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
"C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5364

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe" ContextMenu
1⤵
PID:4292
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWFC2E.xml /skip TRUE
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4856
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
    3⤵
    - Checks computer location settings
    PID:2700
  - - C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
      "C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4808
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
    3⤵
    - Checks computer location settings
    PID:4476
  - - C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe
      "C:\Users\Admin\Downloads\RGF-main\RGF-main\RBF.exe"
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2868

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzcng0sy\lzcng0sy.cmdline"
  2⤵
  PID:5896
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1.tmp" "c:\Users\Admin\AppData\Local\Temp\lzcng0sy\CSC23FA824DC7F94FA4A14F2A1BDD95339.TMP"
    3⤵
    PID:4984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wr3rk1mj\wr3rk1mj.cmdline"
  2⤵
  PID:5428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AC.tmp" "c:\Users\Admin\AppData\Local\Temp\wr3rk1mj\CSC42407775CB464D22AFCB78667996ED3.TMP"
    3⤵
    PID:224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4j3pasvx\4j3pasvx.cmdline"
  2⤵
  PID:5452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12D2.tmp" "c:\Users\Admin\AppData\Local\Temp\4j3pasvx\CSC1A9760E3DFC94B618BA55205149AAF2.TMP"
    3⤵
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion