amadey | 2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f472ac9f9d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6bdd1863ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1T30B3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2R5826.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c760a82587.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
131	4708	MSBuild.exe
197	4708	MSBuild.exe
379	4708	MSBuild.exe
521	4708	MSBuild.exe
552	4708	MSBuild.exe
98	4708	MSBuild.exe
285	4708	MSBuild.exe
390	4708	MSBuild.exe
516	4708	MSBuild.exe
32	4720	rapes.exe
32	4720	rapes.exe
32	4720	rapes.exe
532	3476	MSBuild.exe
532	3476	MSBuild.exe
120	4708	MSBuild.exe

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3704	msedge.exe
2504	chrome.exe
1184	chrome.exe
5592	msedge.exe
2432	chrome.exe
2272	chrome.exe
5200	chrome.exe
3224	msedge.exe
3052	chrome.exe
2116	chrome.exe
3020	msedge.exe
4136	chrome.exe
6052	msedge.exe
1548	chrome.exe
5636	chrome.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2R5826.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c760a82587.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6bdd1863ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2R5826.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6bdd1863ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1T30B3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1T30B3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c760a82587.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f472ac9f9d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f472ac9f9d.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	1T30B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	futors.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	esVTsWUdaTVY8tnF.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	tCx0ZAZ8hctGLoZh.exe

Executes dropped EXE 45 IoCs

pid	Process
5480	M8j28.exe
3408	1T30B3.exe
4720	rapes.exe
4708	2R5826.exe
3856	AfkeY2q.exe
3232	CmvdYC4.exe
6120	ZSoeRVBe.exe
5564	ibC8xs1.exe
5832	exp.exe
5984	rapes.exe
5216	DgQBvwg.exe
3368	exp.exe
4492	steamerrorreporter.exe
1324	steamerrorreporter.exe
4836	amnew.exe
1464	futors.exe
4440	CmvdYC4.exe
2632	ZSoeRVBe.exe
5984	v7942.exe
3400	qhjMWht.exe
5044	joker1221.exe
5700	Rm3cVPI.exe
1280	legendarik.exe
3888	AfkeY2q.exe
2988	EXE.exe
4176	steamerrorreporter.exe
5496	steamerrorreporter.exe
924	crypted.exe
4412	9sWdA2p.exe
740	rapes.exe
5956	futors.exe
2992	c760a82587.exe
3816	f472ac9f9d.exe
5336	svchost015.exe
4204	6bdd1863ff.exe
4000	larBxd7.exe
1896	svchost015.exe
1604	kxt2v3e3wt.exe
4792	rimglf379z.exe
1264	rimglf379z.exe
5980	v3w4euaiec.exe
4728	esVTsWUdaTVY8tnF.exe
4684	tCx0ZAZ8hctGLoZh.exe
6252	esVTsWUdaTVY8tnF.exe
7604	TJnSZ3p4qrtzPd1E.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	2R5826.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	c760a82587.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	f472ac9f9d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	6bdd1863ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	1T30B3.exe

Loads dropped DLL 64 IoCs

pid	Process
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
6120	ZSoeRVBe.exe
4492	steamerrorreporter.exe
4492	steamerrorreporter.exe
1324	steamerrorreporter.exe
1324	steamerrorreporter.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe
2632	ZSoeRVBe.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6lGDvfSX\\esVTsWUdaTVY8tnF.exe"	esVTsWUdaTVY8tnF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	M8j28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f472ac9f9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10054110101\\f472ac9f9d.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6bdd1863ff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10054120101\\6bdd1863ff.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com
251	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	c760a82587.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3408	1T30B3.exe
4708	2R5826.exe
4720	rapes.exe
5984	rapes.exe
740	rapes.exe
2992	c760a82587.exe
3816	f472ac9f9d.exe
4204	6bdd1863ff.exe

Suspicious use of SetThreadContext 46 IoCs

description	pid	Process	procid_target
PID 5564 set thread context of 4708	5564	ibC8xs1.exe	124
PID 5832 set thread context of 5956	5832	exp.exe	135
PID 4708 set thread context of 5860	4708	MSBuild.exe	137
PID 5216 set thread context of 4160	5216	DgQBvwg.exe	146
PID 4708 set thread context of 1544	4708	MSBuild.exe	147
PID 3368 set thread context of 4736	3368	exp.exe	158
PID 4708 set thread context of 2684	4708	MSBuild.exe	159
PID 4708 set thread context of 5504	4708	MSBuild.exe	166
PID 4708 set thread context of 1916	4708	MSBuild.exe	179
PID 4708 set thread context of 4808	4708	MSBuild.exe	185
PID 4708 set thread context of 4828	4708	MSBuild.exe	193
PID 5984 set thread context of 3476	5984	v7942.exe	198
PID 4708 set thread context of 5824	4708	MSBuild.exe	199
PID 4708 set thread context of 5384	4708	MSBuild.exe	202
PID 5044 set thread context of 4204	5044	joker1221.exe	207
PID 4708 set thread context of 3552	4708	MSBuild.exe	210
PID 4708 set thread context of 5972	4708	MSBuild.exe	226
PID 1280 set thread context of 4284	1280	legendarik.exe	230
PID 1324 set thread context of 2412	1324	steamerrorreporter.exe	212
PID 4708 set thread context of 872	4708	MSBuild.exe	238
PID 3888 set thread context of 4452	3888	AfkeY2q.exe	242
PID 4708 set thread context of 1460	4708	MSBuild.exe	243
PID 4708 set thread context of 5616	4708	MSBuild.exe	251
PID 4708 set thread context of 5740	4708	MSBuild.exe	263
PID 924 set thread context of 116	924	crypted.exe	268
PID 4708 set thread context of 1724	4708	MSBuild.exe	270
PID 4708 set thread context of 1064	4708	MSBuild.exe	273
PID 4708 set thread context of 5872	4708	MSBuild.exe	281
PID 4708 set thread context of 4436	4708	MSBuild.exe	285
PID 3816 set thread context of 5336	3816	f472ac9f9d.exe	288
PID 4708 set thread context of 2768	4708	MSBuild.exe	291
PID 4708 set thread context of 1588	4708	MSBuild.exe	294
PID 5496 set thread context of 4896	5496	steamerrorreporter.exe	289
PID 4708 set thread context of 3004	4708	MSBuild.exe	298
PID 4204 set thread context of 1896	4204	6bdd1863ff.exe	302
PID 4708 set thread context of 5804	4708	MSBuild.exe	303
PID 1604 set thread context of 4728	1604	kxt2v3e3wt.exe	306
PID 4792 set thread context of 1264	4792	rimglf379z.exe	309
PID 4708 set thread context of 3024	4708	MSBuild.exe	310
PID 4708 set thread context of 7776	4708	MSBuild.exe	325
PID 4708 set thread context of 7880	4708	MSBuild.exe	328
PID 4708 set thread context of 7404	4708	MSBuild.exe	331
PID 4708 set thread context of 5496	4708	MSBuild.exe	334
PID 4708 set thread context of 3492	4708	MSBuild.exe	337
PID 4708 set thread context of 24484	4708	MSBuild.exe	346
PID 4708 set thread context of 24428	4708	MSBuild.exe	349

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\futors.job	amnew.exe
File created	C:\Windows\Installer\e585cf0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e585cf4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDFA.tmp	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	1T30B3.exe
File opened for modification	C:\Windows\Installer\e585cf0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{21A523FF-B931-41F7-BDB8-D9653E221476}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E09.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5172	4204	WerFault.exe	207
18192	4728	WerFault.exe	316
24400	4684	WerFault.exe	317
24452	7604	WerFault.exe	321

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c760a82587.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esVTsWUdaTVY8tnF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tCx0ZAZ8hctGLoZh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2R5826.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TJnSZ3p4qrtzPd1E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M8j28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3w4euaiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f472ac9f9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bdd1863ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1T30B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esVTsWUdaTVY8tnF.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rimglf379z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rimglf379z.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
7760	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884812845249474"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	rapes.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4708	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	1T30B3.exe
3408	1T30B3.exe
4708	2R5826.exe
4708	2R5826.exe
4720	rapes.exe
4720	rapes.exe
4708	2R5826.exe
4708	2R5826.exe
4708	2R5826.exe
4708	2R5826.exe
5564	ibC8xs1.exe
5564	ibC8xs1.exe
5832	exp.exe
5832	exp.exe
5984	rapes.exe
5984	rapes.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe
5216	DgQBvwg.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1324	steamerrorreporter.exe
1324	steamerrorreporter.exe
5496	steamerrorreporter.exe
5496	steamerrorreporter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
6052	msedge.exe
6052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6120	ZSoeRVBe.exe
Token: SeDebugPrivilege	5564	ibC8xs1.exe
Token: SeDebugPrivilege	5832	exp.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	4708	MSBuild.exe
Token: SeDebugPrivilege	5216	DgQBvwg.exe
Token: SeDebugPrivilege	3368	exp.exe
Token: SeShutdownPrivilege	4832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	4812	msiexec.exe
Token: SeCreateTokenPrivilege	4832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4832	msiexec.exe
Token: SeLockMemoryPrivilege	4832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4832	msiexec.exe
Token: SeMachineAccountPrivilege	4832	msiexec.exe
Token: SeTcbPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	4832	msiexec.exe
Token: SeTakeOwnershipPrivilege	4832	msiexec.exe
Token: SeLoadDriverPrivilege	4832	msiexec.exe
Token: SeSystemProfilePrivilege	4832	msiexec.exe
Token: SeSystemtimePrivilege	4832	msiexec.exe
Token: SeProfSingleProcessPrivilege	4832	msiexec.exe
Token: SeIncBasePriorityPrivilege	4832	msiexec.exe
Token: SeCreatePagefilePrivilege	4832	msiexec.exe
Token: SeCreatePermanentPrivilege	4832	msiexec.exe
Token: SeBackupPrivilege	4832	msiexec.exe
Token: SeRestorePrivilege	4832	msiexec.exe
Token: SeShutdownPrivilege	4832	msiexec.exe
Token: SeDebugPrivilege	4832	msiexec.exe
Token: SeAuditPrivilege	4832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4832	msiexec.exe
Token: SeChangeNotifyPrivilege	4832	msiexec.exe
Token: SeRemoteShutdownPrivilege	4832	msiexec.exe
Token: SeUndockPrivilege	4832	msiexec.exe
Token: SeSyncAgentPrivilege	4832	msiexec.exe
Token: SeEnableDelegationPrivilege	4832	msiexec.exe
Token: SeManageVolumePrivilege	4832	msiexec.exe
Token: SeImpersonatePrivilege	4832	msiexec.exe
Token: SeCreateGlobalPrivilege	4832	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4708	MSBuild.exe
3052	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
6052	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4708	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 5480	3516	2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe	87
PID 3516 wrote to memory of 5480	3516	2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe	87
PID 3516 wrote to memory of 5480	3516	2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe	87
PID 5592 wrote to memory of 824	5592	cmd.exe	88
PID 5592 wrote to memory of 824	5592	cmd.exe	88
PID 5480 wrote to memory of 3408	5480	M8j28.exe	91
PID 5480 wrote to memory of 3408	5480	M8j28.exe	91
PID 5480 wrote to memory of 3408	5480	M8j28.exe	91
PID 2272 wrote to memory of 4528	2272	cmd.exe	92
PID 2272 wrote to memory of 4528	2272	cmd.exe	92
PID 3408 wrote to memory of 4720	3408	1T30B3.exe	96
PID 3408 wrote to memory of 4720	3408	1T30B3.exe	96
PID 3408 wrote to memory of 4720	3408	1T30B3.exe	96
PID 5480 wrote to memory of 4708	5480	M8j28.exe	97
PID 5480 wrote to memory of 4708	5480	M8j28.exe	97
PID 5480 wrote to memory of 4708	5480	M8j28.exe	97
PID 4720 wrote to memory of 3856	4720	rapes.exe	104
PID 4720 wrote to memory of 3856	4720	rapes.exe	104
PID 4720 wrote to memory of 3856	4720	rapes.exe	104
PID 3856 wrote to memory of 1396	3856	AfkeY2q.exe	105
PID 3856 wrote to memory of 1396	3856	AfkeY2q.exe	105
PID 3856 wrote to memory of 1396	3856	AfkeY2q.exe	105
PID 4720 wrote to memory of 3232	4720	rapes.exe	108
PID 4720 wrote to memory of 3232	4720	rapes.exe	108
PID 3232 wrote to memory of 6120	3232	CmvdYC4.exe	110
PID 3232 wrote to memory of 6120	3232	CmvdYC4.exe	110
PID 4720 wrote to memory of 5564	4720	rapes.exe	119
PID 4720 wrote to memory of 5564	4720	rapes.exe	119
PID 5564 wrote to memory of 4892	5564	ibC8xs1.exe	120
PID 5564 wrote to memory of 4892	5564	ibC8xs1.exe	120
PID 4892 wrote to memory of 5252	4892	csc.exe	122
PID 4892 wrote to memory of 5252	4892	csc.exe	122
PID 5564 wrote to memory of 4780	5564	ibC8xs1.exe	123
PID 5564 wrote to memory of 4780	5564	ibC8xs1.exe	123
PID 5564 wrote to memory of 4780	5564	ibC8xs1.exe	123
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 5564 wrote to memory of 4708	5564	ibC8xs1.exe	124
PID 4088 wrote to memory of 4276	4088	cmd.exe	127
PID 4088 wrote to memory of 4276	4088	cmd.exe	127
PID 5452 wrote to memory of 5832	5452	explorer.exe	129
PID 5452 wrote to memory of 5832	5452	explorer.exe	129
PID 5832 wrote to memory of 2292	5832	exp.exe	131
PID 5832 wrote to memory of 2292	5832	exp.exe	131
PID 2292 wrote to memory of 1464	2292	csc.exe	133
PID 2292 wrote to memory of 1464	2292	csc.exe	133
PID 5832 wrote to memory of 3976	5832	exp.exe	134
PID 5832 wrote to memory of 3976	5832	exp.exe	134
PID 5832 wrote to memory of 3976	5832	exp.exe	134
PID 5832 wrote to memory of 5956	5832	exp.exe	135
PID 5832 wrote to memory of 5956	5832	exp.exe	135
PID 5832 wrote to memory of 5956	5832	exp.exe	135
PID 5832 wrote to memory of 5956	5832	exp.exe	135

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe
"C:\Users\Admin\AppData\Local\Temp\2320a574556780b6f4376b358bfdce5af24c0bc58d7b4818af64851f6bdd9f4d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M8j28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M8j28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1T30B3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1T30B3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\onefile_3232_133884812198182163\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
    - - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jrtyirg1\jrtyirg1.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF40.tmp" "c:\Users\Admin\AppData\Local\Temp\jrtyirg1\CSCCB5751A524D84AE3BAA9AFA13555C2C2.TMP"
        7⤵
        
        PID:5252
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Downloads MZ/PE file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:4708
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5860
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1544
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:2684
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9ac54dcf8,0x7ff9ac54dd04,0x7ff9ac54dd10
        8⤵
        
        PID:1788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2012 /prefetch:2
        8⤵
        
        PID:5964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2248,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1600 /prefetch:3
        8⤵
        
        PID:3860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2888,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2880 /prefetch:8
        8⤵
        
        PID:1200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3360 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4236,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4288 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:5636
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,14106149552861977205,10304432825834168979,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4692 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2272
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1916
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:3704
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:4828
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5824
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5384
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:3552
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5972
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:872
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1460
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5616
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5740
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1724
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1064
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5872
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:4436
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:2768
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:1588
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:3004
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5804
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:3024
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:7776
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:7880
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:7404
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:5496
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:3492
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:24484
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        7⤵
        
        PID:24428
    - - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5216
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpwp0x2h\gpwp0x2h.cmdline"
        6⤵
        
        PID:6052
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES487E.tmp" "c:\Users\Admin\AppData\Local\Temp\gpwp0x2h\CSCD2A9D3ED4A974E0F95942C6DFD2F7029.TMP"
        7⤵
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\10489820101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489820101\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9ac54dcf8,0x7ff9ac54dd04,0x7ff9ac54dd10
        10⤵
        
        PID:4536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1584,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2124 /prefetch:3
        10⤵
        
        PID:4896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2096,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2092 /prefetch:2
        10⤵
        
        PID:4424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2276,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2720 /prefetch:8
        10⤵
        
        PID:6024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3272 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:2504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:4136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4232,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3836 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:2116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4604,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5360 /prefetch:8
        10⤵
        
        PID:5976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5500 /prefetch:8
        10⤵
        
        PID:4172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5364,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5668 /prefetch:8
        10⤵
        
        PID:4204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5604,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5592 /prefetch:8
        10⤵
        
        PID:5172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5612,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5736 /prefetch:8
        10⤵
        
        PID:4860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,17229338331781668534,15263709771629943704,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5576 /prefetch:8
        10⤵
        
        PID:2600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:3224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff9b060f208,0x7ff9b060f214,0x7ff9b060f220
        11⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,3053629944237714116,174940593411797194,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
        11⤵
        
        PID:852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1944,i,3053629944237714116,174940593411797194,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3
        11⤵
        
        PID:5172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,3053629944237714116,174940593411797194,262144 --variations-seed-version --mojo-platform-channel-handle=3304 /prefetch:8
        11⤵
        
        PID:5444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3504,i,3053629944237714116,174940593411797194,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,3053629944237714116,174940593411797194,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3020
        
        C:\ProgramData\kxt2v3e3wt.exe
        
        "C:\ProgramData\kxt2v3e3wt.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\ProgramData\rimglf379z.exe
        
        "C:\ProgramData\rimglf379z.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4792
        
        C:\ProgramData\rimglf379z.exe
        
        "C:\ProgramData\rimglf379z.exe"
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        11⤵
        
        PID:6128
        
        C:\ProgramData\v3w4euaiec.exe
        
        "C:\ProgramData\v3w4euaiec.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\esVTsWUdaTVY8tnF.exe
        
        C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\esVTsWUdaTVY8tnF.exe 0
        10⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\tCx0ZAZ8hctGLoZh.exe
        
        C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\tCx0ZAZ8hctGLoZh.exe 4728
        11⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1116
        12⤵
        Program crash
        
        PID:24400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1032
        11⤵
        Program crash
        
        PID:18192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\r1n7q" & exit
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7720
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\joker1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\joker1221.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1412
        9⤵
        Program crash
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\10046340101\EXE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\EXE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\10054110101\f472ac9f9d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10054110101\f472ac9f9d.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10054110101\f472ac9f9d.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\10054120101\6bdd1863ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10054120101\6bdd1863ff.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10054120101\6bdd1863ff.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\10489830101\CmvdYC4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489830101\CmvdYC4.exe"
        5⤵
        Executes dropped EXE
        
        PID:4440
      - C:\Users\Admin\AppData\Local\Temp\onefile_4440_133884812704387879\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10489830101\CmvdYC4.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\10489840101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489840101\qhjMWht.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\10489850101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489850101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\10489860101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489860101\AfkeY2q.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10489870271\ArFLIYD.msi" /quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\10489880101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489880101\9sWdA2p.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\10489890101\c760a82587.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489890101\c760a82587.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\10489900101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10489900101\larBxd7.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R5826.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R5826.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:4276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jepanamw\jepanamw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17.tmp" "c:\Users\Admin\AppData\Local\Temp\jepanamw\CSC4CA9025E2BD8444CAD76F1DC609FAE.TMP"
      4⤵
      PID:1464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5956

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:5604
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:2072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3172
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmbnzy4d\cmbnzy4d.cmdline"
    3⤵
    PID:5228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54D2.tmp" "c:\Users\Admin\AppData\Local\Temp\cmbnzy4d\CSC6F7F94E7107E49F7AB5E9E6D3752BA5.TMP"
      4⤵
      PID:4624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4812
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      PID:32
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4176
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4204 -ip 4204
1⤵
PID:5284

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:740

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5956

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\esVTsWUdaTVY8tnF.exe
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\esVTsWUdaTVY8tnF.exe
  C:\Users\Admin\AppData\Local\Temp\6lGDvfSX\esVTsWUdaTVY8tnF.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6252
- - C:\Users\Admin\AppData\Local\Temp\8cU7ljXX\TJnSZ3p4qrtzPd1E.exe
    C:\Users\Admin\AppData\Local\Temp\8cU7ljXX\TJnSZ3p4qrtzPd1E.exe 6252
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7604 -s 640
      4⤵
      Program crash
      PID:24452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4728 -ip 4728
1⤵
PID:18144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4684 -ip 4684
1⤵
PID:18152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 7604 -ip 7604
1⤵
PID:24412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion