eternity | hxxps://github[.]com/TrawlerGT/Growtopia-Auto-CCS/blob/main/GT%20Auto-CCS%20v2[.]85[.]zip

Analysis

max time kernel
79s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/TrawlerGT/Growtopia-Auto-CCS/blob/main/GT%20Auto-CCS%20v2.85.zip

Score

10^/10

eternity growtopia agilenet evasion stealer themida trojan

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp	eternity_stealer
behavioral1/memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GT Auto-CCS by RealGoblins.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GT Auto-CCS by RealGoblins.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GT Auto-CCS by RealGoblins.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GT Auto-CCS by RealGoblins.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GT Auto-CCS by RealGoblins.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GT Auto-CCS by RealGoblins.exe

Drops startup file 2 IoCs

Processes:

GT Auto-CCS by RealGoblins.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GT Auto-CCS by RealGoblins.exe	GT Auto-CCS by RealGoblins.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GT Auto-CCS by RealGoblins.exe	GT Auto-CCS by RealGoblins.exe

Executes dropped EXE 4 IoCs

Processes:

dcd.exeGT Auto-CCS by RealGoblins.exe

pid process

1680 dcd.exe
4676 GT Auto-CCS by RealGoblins.exe
1680 dcd.exe
4676 GT Auto-CCS by RealGoblins.exe
Loads dropped DLL 2 IoCs

Processes:

GT Auto-CCS by RealGoblins.exe

pid process

4676 GT Auto-CCS by RealGoblins.exe
4676 GT Auto-CCS by RealGoblins.exe

pid	process
1680	dcd.exe
4676	GT Auto-CCS by RealGoblins.exe
1680	dcd.exe
4676	GT Auto-CCS by RealGoblins.exe

pid	process
4676	GT Auto-CCS by RealGoblins.exe
4676	GT Auto-CCS by RealGoblins.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp	agile_net
behavioral1/memory/2628-262-0x000000001D110000-0x000000001DAE2000-memory.dmp	agile_net
behavioral1/memory/4676-280-0x0000022C23C00000-0x0000022C24598000-memory.dmp	agile_net
behavioral1/memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp	agile_net
behavioral1/memory/2628-262-0x000000001D110000-0x000000001DAE2000-memory.dmp	agile_net
behavioral1/memory/4676-280-0x0000022C23C00000-0x0000022C24598000-memory.dmp	agile_net

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4676-288-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida
behavioral1/memory/4676-289-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida
behavioral1/memory/4676-292-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida
behavioral1/memory/4676-288-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida
behavioral1/memory/4676-289-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida
behavioral1/memory/4676-292-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GT Auto-CCS by RealGoblins.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GT Auto-CCS by RealGoblins.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

48 raw.githubusercontent.com
49 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

GT Auto-CCS by RealGoblins.exe

pid process

4676 GT Auto-CCS by RealGoblins.exe
4676 GT Auto-CCS by RealGoblins.exe

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com

pid	process
4676	GT Auto-CCS by RealGoblins.exe
4676	GT Auto-CCS by RealGoblins.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
456	msedge.exe
456	msedge.exe
3716	msedge.exe
3716	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
1660	msedge.exe
1660	msedge.exe
3148	msedge.exe
3148	msedge.exe
3004	msedge.exe
3004	msedge.exe
2400	msedge.exe
2400	msedge.exe
456	msedge.exe
456	msedge.exe
3716	msedge.exe
3716	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
1660	msedge.exe
1660	msedge.exe
3148	msedge.exe
3148	msedge.exe
3004	msedge.exe
3004	msedge.exe
2400	msedge.exe
2400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GT Auto-CCS by RealGoblins.exe

description pid process

Token: SeDebugPrivilege 2628 GT Auto-CCS by RealGoblins.exe
Token: SeDebugPrivilege 2628 GT Auto-CCS by RealGoblins.exe

description	pid	process
Token: SeDebugPrivilege	2628	GT Auto-CCS by RealGoblins.exe
Token: SeDebugPrivilege	2628	GT Auto-CCS by RealGoblins.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exe

pid	process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3716 wrote to memory of 216	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 216	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4712	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 456	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 456	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3112	3716	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/TrawlerGT/Growtopia-Auto-CCS/blob/main/GT%20Auto-CCS%20v2.85.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab2ef46f8,0x7ffab2ef4708,0x7ffab2ef4718
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,14670676095154468252,12463209450905610446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Temp1_GT Auto-CCS v2.85 (3).zip\GT Auto-CCS v2.85\GT Auto-CCS by RealGoblins.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_GT Auto-CCS v2.85 (3).zip\GT Auto-CCS v2.85\GT Auto-CCS by RealGoblins.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2628
- C:\Users\Admin\AppData\Local\Temp\kzg3tquz.24g\GT Auto-CCS by RealGoblins.exe
  "C:\Users\Admin\AppData\Local\Temp\kzg3tquz.24g\GT Auto-CCS by RealGoblins.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1680

C:\Users\Admin\AppData\Local\Temp\Temp1_GT Auto-CCS v2.85 (3).zip\GT Auto-CCS v2.85\MAC Address Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_GT Auto-CCS v2.85 (3).zip\GT Auto-CCS v2.85\MAC Address Tool.exe"
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
21.7MB

MD5
340f025ca1e9009e4b8a68fa1e6978fa

SHA1
dc4377fc9c10655359d7dcec82083fba2f1ef8c2

SHA256
a8d1b79883b7b5bfa25a640023634ea7f66bd2c68d39a15047f4adb9a60a4679

SHA512
528ca95b5e2ab54abe793bd97410870ce63c838c4623100bd0f383d6045131aa262095dbefa74d1fc2bc94d0b83cc8f4e86a8412078a3ac9676227b9122c4a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
71619009cef383c1585ef571679097da

SHA1
1d7a71b2193ee53a9c3245b90cf066696f7a1141

SHA256
7c30e8f7bb0a1f9fe1f6c0d6c0bff8c289fd5d40aa524bcb525e6d3646307805

SHA512
ed093f1f2b0884200d8338171b810da4204f40722f700864baadde11ec88b78977a3c5e54e1257ab9b02ae1d79ab6cf3f5da2ed07bf58c3773b46d8a690ef665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2916f3c5161db47c37b9d15d549611e0

SHA1
232254d010103056cb5b389e58b908b442882c68

SHA256
2ab4926d5ec6682d69fdb01dd8b33917ec49255123ec3070caee72b2a53be29f

SHA512
4f6ed14f48d1bd73163bcbca24f02c70eb07bbee1078b15cca6a19c8ded86289a3edcd9bd50ecf9206a6c8a25907362a22da4ddb3912c0d0d51b6aa57eeb037e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2e762602d2e24382a021f4ae96999ad

SHA1
f98158f246d1c8cf8dee48f5e9ae697ebef972a9

SHA256
2c6da5077f4d246ef21387c9fc9a4cb7e452cce52d1acd29118de3db548b29d1

SHA512
b8f6a70b17805cecbcfea9261d935d7163b584ca0fc1700e097b9756eaf6313230d9cfe9894df3a50a1fd2fb2156b22651afe952a0cb25e104e97c73b2e34676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b6c558667747800090582dab179fe19

SHA1
1d77ad25e0e0f59e28989cba4180ab198d98a0e8

SHA256
6769d692d4c27d84975b2463617c933e14bf7cc9eabc4a8c520e88296df80deb

SHA512
3b49979323471c7eabf21ec15936a30571ba9ea9a27befe59eaa6f7452634e25106ed185e536e45301fb3558ef9fe8b919b784c67f6957fbe2c0bb845d5cd69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
096d09672376cf60ed4ad16a4ba7d7fa

SHA1
ddf0061f0e37870127c8361656d0f6befa34f5cd

SHA256
7226101f88000b69be653397964dc7459c9bd620bf243de6fd8b00a35989cd7d

SHA512
a8c8ef9d70eaccabff48d79dc3667d9acb94d1bb5236bc72cba978aa5f4d350092cc27f5036a559ddf99f6cbfe051357eabd13cb1450da3058c73dc2a4718b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f9e1.TMP

Filesize
874B

MD5
148d79e39d7a71c21f6741c2e5b1842e

SHA1
02eb8b9a20d44fb52d24d40bdaea7188c66286e9

SHA256
730b515eedddce7c3105c5de01e403c91d00d632876ae4bfa66ec207f2f0389f

SHA512
5499ee31379e2ce1b16bb631b2232a7c4f2446b346b552dd08851c0a0a279b9088a59ed1eab3f55be584df8a4488906efcd2572890fcbced5b926b348dc4df8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\120f9744-e028-4b41-860a-6ab79fa223b9\0

Filesize
16.7MB

MD5
32fe8073711c9b068f8eb756cc72deaf

SHA1
02f929e5ae033c3d781f8e2dfb1fb0f9f1e12df2

SHA256
d1dd759223def9d5181e95f348ed59d3d4b64fcfd0aaa364cc86a2fce64e53a3

SHA512
6431960816ab49be84c30fe36e0d6b9f50af2606d7da0fc69d3a6e2ce3745fb8326db97f4ff510076cae0076e1c129fd7392c4905e7da5ba1772e51302c45e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed3c69d7dfd949b55684660d68d163a5

SHA1
3f64c95e395bd2b941bebedc6cc71576a6d1b5ec

SHA256
aa9264d90e98e0158ead671a761e6dadf161bb31b9bcb2429a763dcb0fb3e815

SHA512
1a6cc33b22a834e55923de3bdf8b6e85adb581887f32bb62ad0e0025d540e64d17eb57c1b9cf57b78ab338c66c6445ce18d77452d2fda54b0f742031601ebbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d007d29d6c704b107814b116aae16af

SHA1
d7e81178530576f2bd780c372d04cce7aeb46ae3

SHA256
ef2afa57366d94692e3971abdfade3d81d0241ef83444cf66a709acf03f9de93

SHA512
f14aa8713f18fe984b5817c9cb74b1a7c04b2c7dd92a6de55e3d0734b1ac2a36aa1dca65cca2c86fd8340fd0815524418f9b22f8c774a189b1a989d8395efcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\64b8ae30-4e96-4282-bf47-3c7bb329dba7\AgileDotNetRT64.dll

Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzg3tquz.24g\GT Auto-CCS by RealGoblins.exe

Filesize
9.6MB

MD5
033d4174cb90e459594cbe9911511b8d

SHA1
b21db09241f015f1d22c40f6b8baf3e62259b99b

SHA256
cde2773d821d15f2003c5a4c5eed0559959f66f0f4be5214706253f5b9bd5077

SHA512
d63a755ad3f83c1da4567a6e081707eca720da461ce002e698f0b5410dfe62763cbdf911cff366b075f784aa51aa73e5d00178cb3b103f7212f775f6f6cdabeb

Download Submit
memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp

Filesize
20.1MB

Download
memory/2628-261-0x000000001CCB0000-0x000000001CD00000-memory.dmp

Filesize
320KB

Download
memory/2628-262-0x000000001D110000-0x000000001DAE2000-memory.dmp

Filesize
9.8MB

Download
memory/2628-262-0x000000001D110000-0x000000001DAE2000-memory.dmp

Filesize
9.8MB

Download
memory/2628-261-0x000000001CCB0000-0x000000001CD00000-memory.dmp

Filesize
320KB

Download
memory/2628-260-0x0000000000D90000-0x00000000021AA000-memory.dmp

Filesize
20.1MB

Download
memory/4152-293-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/4152-293-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/4152-294-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4152-295-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/4152-296-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/4152-297-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4152-297-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4152-296-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/4152-295-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/4152-294-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4676-288-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download
memory/4676-288-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download
memory/4676-289-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download
memory/4676-290-0x00007FFA9ECF0000-0x00007FFA9EE3E000-memory.dmp

Filesize
1.3MB

Download
memory/4676-292-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download
memory/4676-280-0x0000022C23C00000-0x0000022C24598000-memory.dmp

Filesize
9.6MB

Download
memory/4676-280-0x0000022C23C00000-0x0000022C24598000-memory.dmp

Filesize
9.6MB

Download
memory/4676-289-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download
memory/4676-290-0x00007FFA9ECF0000-0x00007FFA9EE3E000-memory.dmp

Filesize
1.3MB

Download
memory/4676-292-0x00007FFA97C00000-0x00007FFA9845F000-memory.dmp

Filesize
8.4MB

Download