Analysis Overview
SHA256
ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01
Threat Level: Known bad
The file ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Amadey family
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Uses browser remote debugging
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of web browsers
Windows security modification
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Identifies Wine through registry keys
Executes dropped EXE
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-14 03:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 03:17
Reported
2024-11-14 03:20
Platform
win7-20240903-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\50c3d9a632.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006113001\\50c3d9a632.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\7f837961ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006114001\\7f837961ca.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\5afafa67eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006116001\\5afafa67eb.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DocumentsGDBKKFHIEG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe
"C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73d9758,0x7fef73d9768,0x7fef73d9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1356,i,15357959644977275035,10583648935322138589,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsGDBKKFHIEG.exe"
C:\Users\Admin\DocumentsGDBKKFHIEG.exe
"C:\Users\Admin\DocumentsGDBKKFHIEG.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe
"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe
"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"
C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe
"C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 1220
C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe
"C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe
"C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| GB | 216.58.201.100:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | frogmen-smell.sbs | udp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| US | 104.21.80.55:443 | frogmen-smell.sbs | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
Files
memory/2280-0-0x0000000000FF0000-0x0000000001675000-memory.dmp
memory/2280-1-0x00000000775A0000-0x00000000775A2000-memory.dmp
memory/2280-2-0x0000000000FF1000-0x0000000001008000-memory.dmp
memory/2280-3-0x0000000000FF0000-0x0000000001675000-memory.dmp
memory/2280-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\??\pipe\crashpad_2584_YRCUOWMDSCBEFVLG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2280-75-0x0000000000FF0000-0x0000000001675000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/2280-82-0x0000000000FF0000-0x0000000001675000-memory.dmp
memory/2280-90-0x0000000000FF0000-0x0000000001675000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2280-122-0x0000000000FF0000-0x0000000001675000-memory.dmp
C:\Users\Admin\DocumentsGDBKKFHIEG.exe
| MD5 | 437df890d05908e08e478d2d336e1e49 |
| SHA1 | 8862dd7a5b5d86789cff4f506c485bab749368ca |
| SHA256 | 53fd79572b0e032793f27c255975618fece1910dbd0629868c79ecf60dfe6807 |
| SHA512 | 168c1c847fcaee032ebd13790ad06938a8ef5a190d130a08c1673c5497c45ea6a6067db7dd519af545d4b7cbf97765cca08e80232352386ab9065247ec62ddcd |
memory/2428-128-0x0000000002060000-0x0000000002386000-memory.dmp
memory/2088-130-0x0000000000970000-0x0000000000C96000-memory.dmp
memory/2280-132-0x0000000000FF0000-0x0000000001675000-memory.dmp
memory/2088-141-0x0000000006930000-0x0000000006C56000-memory.dmp
memory/2088-144-0x0000000000970000-0x0000000000C96000-memory.dmp
memory/900-143-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-146-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-147-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-148-0x0000000000200000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe
| MD5 | 8fb77810c61e160a657298815346996e |
| SHA1 | 4268420571bb1a858bc6a9744c0742d6fd738a83 |
| SHA256 | a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66 |
| SHA512 | b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2 |
memory/900-161-0x0000000000200000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe
| MD5 | 5b015748645c5df44a771f9fc6e136c3 |
| SHA1 | bf34d4e66f4210904be094e256bd42af8cb69a13 |
| SHA256 | 622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909 |
| SHA512 | 026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302 |
memory/1136-180-0x00000000008E0000-0x0000000000D87000-memory.dmp
memory/900-179-0x0000000006960000-0x0000000006E07000-memory.dmp
memory/900-178-0x0000000006960000-0x0000000006E07000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Temp\1006113001\50c3d9a632.exe
| MD5 | edac279da93dab7714e7cc9980aa3b6e |
| SHA1 | 24bf373b2815ebd1159666bdd0e31556eab4e48d |
| SHA256 | b00bd7a04b7af101b2b2eccfa0e6dfbf31ec5e6b5c91a7776cbaef87cd936295 |
| SHA512 | 97b54487f94c3d5428f160233e1d50889c9facd81bdaa6df8ee35bb6978de60c30befe444bafa157d39745f366c91393b73e812c8c800780724bd3308c5dceca |
memory/900-194-0x00000000063D0000-0x00000000066D7000-memory.dmp
memory/1136-202-0x00000000008E0000-0x0000000000D87000-memory.dmp
memory/900-201-0x0000000006960000-0x0000000006E07000-memory.dmp
memory/900-200-0x0000000006960000-0x0000000006E07000-memory.dmp
memory/476-203-0x0000000000C50000-0x0000000000F57000-memory.dmp
memory/900-205-0x0000000000200000-0x0000000000526000-memory.dmp
memory/1136-207-0x00000000008E0000-0x0000000000D87000-memory.dmp
memory/476-208-0x0000000000C50000-0x0000000000F57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1006114001\7f837961ca.exe
| MD5 | c2e652b53e22381677787eed80a5220f |
| SHA1 | ebe4bdfd14ce51aa88fa8610a499b7a31e6b986a |
| SHA256 | c3bbabde6b5c2eb2cd3efe94c544a6ba84e249dbac7d03f434fb7340465b0426 |
| SHA512 | b960f6b7b8e016140cbcf7e79d731b02f66e07808a5879228a5754fc61b8072bf435a091600b9e4bb85fa0ad855bec42893e38939f6897e1b629b1d7963cc422 |
memory/900-226-0x0000000006960000-0x0000000006FF0000-memory.dmp
memory/572-227-0x0000000000100000-0x0000000000790000-memory.dmp
memory/900-225-0x0000000006960000-0x0000000006FF0000-memory.dmp
memory/572-228-0x0000000000100000-0x0000000000790000-memory.dmp
memory/900-231-0x00000000063D0000-0x00000000066D7000-memory.dmp
memory/900-232-0x0000000006210000-0x0000000006536000-memory.dmp
memory/900-233-0x0000000000200000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1006116001\5afafa67eb.exe
| MD5 | 158a0d3d6bc42a769f3b5cbf3770cc62 |
| SHA1 | 1cb3c9f010afe2e7fd84eacce230c7fb4041af18 |
| SHA256 | 2e685b9297af94cb4a1a8bc1d421674e0fc127eaf5ef5c4f1e4ac2c260888f00 |
| SHA512 | a4f8a9cbc556a0e96d6ccdcfbb32e91e5b1e9f164c622d105d787762e8975ba38041bed3806d618ed5b0dd14056e81f487d1c628a302d5d855f5324176eebbff |
memory/900-243-0x0000000006960000-0x0000000006FF0000-memory.dmp
memory/900-247-0x0000000006350000-0x0000000006604000-memory.dmp
memory/2180-250-0x0000000001000000-0x00000000012B4000-memory.dmp
memory/900-249-0x0000000006960000-0x0000000006FF0000-memory.dmp
memory/2180-251-0x0000000001000000-0x00000000012B4000-memory.dmp
memory/2180-252-0x0000000001000000-0x00000000012B4000-memory.dmp
memory/900-253-0x0000000006210000-0x0000000006536000-memory.dmp
memory/900-254-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-255-0x0000000006350000-0x0000000006604000-memory.dmp
memory/2180-257-0x0000000001000000-0x00000000012B4000-memory.dmp
memory/2180-259-0x0000000001000000-0x00000000012B4000-memory.dmp
memory/900-260-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-261-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-262-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-263-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-264-0x0000000000200000-0x0000000000526000-memory.dmp
memory/900-265-0x0000000000200000-0x0000000000526000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 03:17
Reported
2024-11-14 03:20
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe
"C:\Users\Admin\AppData\Local\Temp\ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3444-0-0x0000000000E20000-0x00000000014A5000-memory.dmp
memory/3444-1-0x0000000077694000-0x0000000077696000-memory.dmp
memory/3444-2-0x0000000000E21000-0x0000000000E38000-memory.dmp
memory/3444-3-0x0000000000E20000-0x00000000014A5000-memory.dmp
memory/3444-5-0x0000000000E20000-0x00000000014A5000-memory.dmp