c38b3feb6e14a703ad96fdd30f43bb33fe96175be99b6e6caa39c585b5ad18fd

Analysis

max time kernel
35s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Saturn Free Temp.exe
Size

4.2MB
MD5

e6350586d1f6aacf8343125b758dfb1f
SHA1

5351a0c697e7c158d62f5e58484ba46787c952a8
SHA256

c38b3feb6e14a703ad96fdd30f43bb33fe96175be99b6e6caa39c585b5ad18fd
SHA512

93406b4356389d32862e2f01276e3da8ad3c398e5699f8716e222565bfce48298d3a0b0ded424cacd38d36d2f056108decb0ebf313e44a2c2dd470ac0fc11cb7
SSDEEP

98304:l7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6K0:U+y4ihkl/Wo/afHP

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

clean.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ clean.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4508 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clean.exe

pid	process
4508	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

clean.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00660048005300200020002d002000330000000000	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	clean.exe

Executes dropped EXE 1 IoCs

Processes:

clean.exe

pid process

640 clean.exe

pid	process
640	clean.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Windows\System32\clean.exe	themida
behavioral1/memory/640-4-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida
behavioral1/memory/640-5-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida
behavioral1/memory/640-7-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida
behavioral1/memory/640-6-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida
behavioral1/memory/640-8-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida
behavioral1/memory/640-128-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

clean.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA clean.exe
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

clean.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer clean.exe
Drops file in System32 directory 1 IoCs

Processes:

Saturn Free Temp.exe

description ioc process

File created C:\Windows\System32\clean.exe Saturn Free Temp.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

clean.exe

pid process

640 clean.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	clean.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	clean.exe

description	ioc	process
File created	C:\Windows\System32\clean.exe	Saturn Free Temp.exe

pid	process
640	clean.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

clean.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	clean.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "a5d953bf-805e783e-8"	clean.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5d940a9b-33df83e4-a"	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	clean.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	clean.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	clean.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	clean.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	clean.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

3484 ipconfig.exe
4820 ipconfig.exe
4436 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1552 taskkill.exe
3172 taskkill.exe
4744 taskkill.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

clean.exemsedge.exemsedge.exe

pid process

640 clean.exe
640 clean.exe
4896 msedge.exe
4896 msedge.exe
3608 msedge.exe
3608 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

3608 msedge.exe
3608 msedge.exe
3608 msedge.exe
3608 msedge.exe
3608 msedge.exe

pid	process
3484	ipconfig.exe
4820	ipconfig.exe
4436	ipconfig.exe

pid	process
1552	taskkill.exe
3172	taskkill.exe
4744	taskkill.exe

pid	process
640	clean.exe
640	clean.exe
4896	msedge.exe
4896	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4908	WMIC.exe
Token: SeSecurityPrivilege	4908	WMIC.exe
Token: SeTakeOwnershipPrivilege	4908	WMIC.exe
Token: SeLoadDriverPrivilege	4908	WMIC.exe
Token: SeSystemProfilePrivilege	4908	WMIC.exe
Token: SeSystemtimePrivilege	4908	WMIC.exe
Token: SeProfSingleProcessPrivilege	4908	WMIC.exe
Token: SeIncBasePriorityPrivilege	4908	WMIC.exe
Token: SeCreatePagefilePrivilege	4908	WMIC.exe
Token: SeBackupPrivilege	4908	WMIC.exe
Token: SeRestorePrivilege	4908	WMIC.exe
Token: SeShutdownPrivilege	4908	WMIC.exe
Token: SeDebugPrivilege	4908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4908	WMIC.exe
Token: SeRemoteShutdownPrivilege	4908	WMIC.exe
Token: SeUndockPrivilege	4908	WMIC.exe
Token: SeManageVolumePrivilege	4908	WMIC.exe
Token: 33	4908	WMIC.exe
Token: 34	4908	WMIC.exe
Token: 35	4908	WMIC.exe
Token: 36	4908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4908	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Saturn Free Temp.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execlean.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2592 wrote to memory of 2956	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 2956	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 228	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 228	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4120	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4120	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4884	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4884	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4516	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4516	2592	Saturn Free Temp.exe	cmd.exe
PID 4516 wrote to memory of 3084	4516	cmd.exe	WMIC.exe
PID 4516 wrote to memory of 3084	4516	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 312	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 312	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 2896	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 2896	2592	Saturn Free Temp.exe	cmd.exe
PID 2896 wrote to memory of 4908	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 4908	2896	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 3104	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 3104	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 3024	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 3024	2592	Saturn Free Temp.exe	cmd.exe
PID 3024 wrote to memory of 2024	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2024	3024	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 4688	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4688	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4088	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4088	2592	Saturn Free Temp.exe	cmd.exe
PID 4088 wrote to memory of 1792	4088	cmd.exe	WMIC.exe
PID 4088 wrote to memory of 1792	4088	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 1556	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1556	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4916	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4916	2592	Saturn Free Temp.exe	cmd.exe
PID 4916 wrote to memory of 5072	4916	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 5072	4916	cmd.exe	WMIC.exe
PID 2592 wrote to memory of 532	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 532	2592	Saturn Free Temp.exe	cmd.exe
PID 532 wrote to memory of 1988	532	cmd.exe	getmac.exe
PID 532 wrote to memory of 1988	532	cmd.exe	getmac.exe
PID 2592 wrote to memory of 1560	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1560	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1300	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1300	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1416	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 1416	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4504	2592	Saturn Free Temp.exe	cmd.exe
PID 2592 wrote to memory of 4504	2592	Saturn Free Temp.exe	cmd.exe
PID 4504 wrote to memory of 640	4504	cmd.exe	clean.exe
PID 4504 wrote to memory of 640	4504	cmd.exe	clean.exe
PID 640 wrote to memory of 1264	640	clean.exe	cmd.exe
PID 640 wrote to memory of 1264	640	clean.exe	cmd.exe
PID 1264 wrote to memory of 4744	1264	cmd.exe	taskkill.exe
PID 1264 wrote to memory of 4744	1264	cmd.exe	taskkill.exe
PID 640 wrote to memory of 4004	640	clean.exe	cmd.exe
PID 640 wrote to memory of 4004	640	clean.exe	cmd.exe
PID 4004 wrote to memory of 1552	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 1552	4004	cmd.exe	taskkill.exe
PID 640 wrote to memory of 4480	640	clean.exe	cmd.exe
PID 640 wrote to memory of 4480	640	clean.exe	cmd.exe
PID 4480 wrote to memory of 3172	4480	cmd.exe	taskkill.exe
PID 4480 wrote to memory of 3172	4480	cmd.exe	taskkill.exe
PID 640 wrote to memory of 1676	640	clean.exe	cmd.exe
PID 640 wrote to memory of 1676	640	clean.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Saturn Free Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Saturn Free Temp.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 5
2⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO CPU
2⤵
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO BIOS
2⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
3⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO Motherboard
2⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
2⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO smBIOS UUID
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c getmac
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\getmac.exe
getmac
3⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Going back to dashboard in 8 seconds...
2⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\clean.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\System32\clean.exe
C:\Windows\System32\clean.exe
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
5⤵
- Kills process with taskkill
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
5⤵
- Kills process with taskkill
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
5⤵
- Kills process with taskkill
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://applecheats.cc
4⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa01046f8,0x7fffa0104708,0x7fffa0104718
6⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
6⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
6⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
6⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
6⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
6⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
6⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
6⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
4⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
4⤵
PID:4704

C:\Windows\system32\netsh.exe
NETSH WINSOCK RESET
5⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
4⤵
PID:1556

C:\Windows\system32\netsh.exe
NETSH INT IP RESET
5⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
4⤵
PID:2764

C:\Windows\system32\netsh.exe
netsh advfirewall reset
5⤵
- Modifies Windows Firewall
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
4⤵
PID:1308

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV4 RESET
5⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
4⤵
PID:1676

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV6 RESET
5⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
4⤵
PID:3632

C:\Windows\system32\netsh.exe
NETSH INTERFACE TCP RESET
5⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
4⤵
PID:1760

C:\Windows\system32\netsh.exe
NETSH INT RESET ALL
5⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
4⤵
PID:3168

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
5⤵
- Gathers network information
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
4⤵
PID:3736

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
5⤵
- Gathers network information
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
4⤵
PID:3116

C:\Windows\system32\ipconfig.exe
IPCONFIG /FLUSHDNS
5⤵
- Gathers network information
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
4⤵
PID:1944

C:\Windows\system32\nbtstat.exe
NBTSTAT -R
5⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
4⤵
PID:3300

C:\Windows\system32\nbtstat.exe
NBTSTAT -RR
5⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
4⤵
PID:3248

C:\Windows\system32\ARP.EXE
arp -a
5⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
4⤵
PID:4356

C:\Windows\system32\ARP.EXE
arp -d
5⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
4⤵
PID:4232

C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
5⤵
PID:664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
58eab95a1f13da44674f5f7cdfcd583d

SHA1
daa384b5bc1cad12b2d6a3d95be2156d8528c86f

SHA256
598061776a68240029aaf9807ba6697b4e5aaa0409b53c26d6f05a4239325d7d

SHA512
1804674c802c2e9db8d8d6f48924a5dffab923daf7fb9bf08e3e5d5f8a93c9eeeb331a85516ee2fb4794e212537cf01d96a05d5fb05009937d139e4c10b9d98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
553B

MD5
9f7f5c4584c56f12f4fea18d066a543f

SHA1
6f2130340c296f93aff5c1b06871dacc5d9f872e

SHA256
4100b61ff5414201486000562801e4669c196cac2af18a211d1e525bc2b0e483

SHA512
7b066392ba29f044202a151dccaa52c24188ab90c123db0ec8cb32ed1e35366690f9d99a86828e5ad77cec208f541bfd1608e834ce44e2f48f0793842e6de4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d36bbe192737ff85cca73f35a62014fb

SHA1
5fff8630be8ed3839c36aaaebeff3daf931095db

SHA256
fa46f6359bee199818da197f256c2371ddd6ac508c45e7f67a4eaa0d6fb0d950

SHA512
c6976f98a463019518a1e7fc797e13c8dc9541d42c25f2c966843bcaacef778e418f2558a0c4b14d784db2695e9500a1e577612f58bbd78fb13353cd81d52726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
39a87a323fbf738b079b618292f94998

SHA1
6b2283aa5c6becd70a794cecf1abe4406fd1a832

SHA256
8a382ac0405281e6cf879602470551c08347ca1fa4895068ca7f30e951348c79

SHA512
2eacc115d9444be9dce90b91dc79a94d3023550c3390ce9f3abd7c387eff29f114c74d4186024860c1eaf845a1b968e8b35c7fb2e173c2ffb3fae7348ebb77bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ac31bd389f633de65ebf4b71d92d00d6

SHA1
acf7cfd681828730344b7ebe286ae371139923db

SHA256
e477a29985bcff196c4831c2d2ecad79d068c5fa46963f7011b3b30993816fdc

SHA512
4b1694c10934c8aa3d6b0c8b08376e42a78ffe521496ff956226f87527523ed2b090a48b2ecd5980efb7fa4b7e6b4dd4ddb827cef07db34c9e9e3e13a1d9bdea

Download Submit
C:\Windows\System32\clean.exe
Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
\??\pipe\LOCAL\crashpad_3608_WJQDSRQDKOVNQFND
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-8-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download
memory/640-6-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download
memory/640-7-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download
memory/640-5-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download
memory/640-4-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download
memory/640-128-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp

Filesize
9.6MB

Download