Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe
Resource
win7-20241010-en
General
-
Target
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe
-
Size
2.9MB
-
MD5
77bc76aa9e8e6d5916f06887014cb2e8
-
SHA1
2a06b83b186945145b901c95dc8ff63321c78f1f
-
SHA256
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888
-
SHA512
305a54be3787ac704b1884b8a6ee34097386a1b397baf13e23f3b4bc1c207a15005c7634d048d6ba4216052ff3d46fbe043040585921ec194017fa5e8fa18cb7
-
SSDEEP
49152:uK0jkOllf67vjwTRJxAh+By4P8uU2Twz5yHRIxG7:k5lf6zjwTRJxAmy4Qx5U/7
Malware Config
Extracted
lumma
https://scriptyprefej.store
https://navygenerayk.store
https://founpiuer.store
https://necklacedmny.store
https://thumbystriw.store
https://fadehairucw.store
https://crisiwarny.store
https://presticitpo.store
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
skotes.exe1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exeDocumentsAFHDAEGHDG.exeskotes.exefc89025b7e.exelum250.exe63500a1c2f.exe984efb6da5.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsAFHDAEGHDG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fc89025b7e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lum250.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 63500a1c2f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 984efb6da5.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 7 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid Process 2948 chrome.exe 580 chrome.exe 2480 chrome.exe 1888 chrome.exe 1704 chrome.exe 1092 chrome.exe 2652 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
984efb6da5.exeDocumentsAFHDAEGHDG.exefc89025b7e.exelum250.exe63500a1c2f.exe1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exeskotes.exeskotes.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 984efb6da5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 984efb6da5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsAFHDAEGHDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fc89025b7e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lum250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 63500a1c2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fc89025b7e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lum250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsAFHDAEGHDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 63500a1c2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Executes dropped EXE 8 IoCs
Processes:
DocumentsAFHDAEGHDG.exeskotes.exefc89025b7e.exebabababa.exelum250.exe63500a1c2f.exe984efb6da5.exeskotes.exepid Process 2380 DocumentsAFHDAEGHDG.exe 3060 skotes.exe 2832 fc89025b7e.exe 2876 babababa.exe 2720 lum250.exe 792 63500a1c2f.exe 380 984efb6da5.exe 2448 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
984efb6da5.exeskotes.exe1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exeDocumentsAFHDAEGHDG.exeskotes.exefc89025b7e.exelum250.exe63500a1c2f.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine 984efb6da5.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine DocumentsAFHDAEGHDG.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine fc89025b7e.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine lum250.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine 63500a1c2f.exe -
Loads dropped DLL 14 IoCs
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.execmd.exeDocumentsAFHDAEGHDG.exeskotes.exepid Process 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 2288 cmd.exe 2380 DocumentsAFHDAEGHDG.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe 3060 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
skotes.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\63500a1c2f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006169001\\63500a1c2f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\984efb6da5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006170001\\984efb6da5.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exeDocumentsAFHDAEGHDG.exeskotes.exefc89025b7e.exelum250.exe63500a1c2f.exe984efb6da5.exeskotes.exepid Process 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 2380 DocumentsAFHDAEGHDG.exe 3060 skotes.exe 2832 fc89025b7e.exe 2720 lum250.exe 792 63500a1c2f.exe 380 984efb6da5.exe 2448 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
skotes.exedescription pid Process procid_target PID 3060 set thread context of 2448 3060 skotes.exe 68 -
Drops file in Windows directory 1 IoCs
Processes:
DocumentsAFHDAEGHDG.exedescription ioc Process File created C:\Windows\Tasks\skotes.job DocumentsAFHDAEGHDG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1744 2720 WerFault.exe 55 2964 792 WerFault.exe 65 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
DocumentsAFHDAEGHDG.exeskotes.exelum250.exe984efb6da5.exeskotes.exe1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.execmd.exefc89025b7e.exe63500a1c2f.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DocumentsAFHDAEGHDG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lum250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 984efb6da5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc89025b7e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63500a1c2f.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exefc89025b7e.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fc89025b7e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fc89025b7e.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exechrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exechrome.exeDocumentsAFHDAEGHDG.exeskotes.exefc89025b7e.exelum250.exechrome.exe63500a1c2f.exe984efb6da5.exeskotes.exepid Process 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 580 chrome.exe 580 chrome.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 2380 DocumentsAFHDAEGHDG.exe 3060 skotes.exe 2832 fc89025b7e.exe 2720 lum250.exe 1092 chrome.exe 1092 chrome.exe 2720 lum250.exe 2720 lum250.exe 2720 lum250.exe 2720 lum250.exe 792 63500a1c2f.exe 792 63500a1c2f.exe 792 63500a1c2f.exe 792 63500a1c2f.exe 792 63500a1c2f.exe 380 984efb6da5.exe 2448 skotes.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
chrome.exechrome.exedescription pid Process Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 580 chrome.exe Token: SeShutdownPrivilege 1092 chrome.exe Token: SeShutdownPrivilege 1092 chrome.exe Token: SeShutdownPrivilege 1092 chrome.exe Token: SeShutdownPrivilege 1092 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeDocumentsAFHDAEGHDG.exechrome.exepid Process 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 580 chrome.exe 2380 DocumentsAFHDAEGHDG.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe 1092 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exechrome.exedescription pid Process procid_target PID 1656 wrote to memory of 580 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 32 PID 1656 wrote to memory of 580 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 32 PID 1656 wrote to memory of 580 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 32 PID 1656 wrote to memory of 580 1656 1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe 32 PID 580 wrote to memory of 2124 580 chrome.exe 33 PID 580 wrote to memory of 2124 580 chrome.exe 33 PID 580 wrote to memory of 2124 580 chrome.exe 33 PID 580 wrote to memory of 1836 580 chrome.exe 34 PID 580 wrote to memory of 1836 580 chrome.exe 34 PID 580 wrote to memory of 1836 580 chrome.exe 34 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 2592 580 chrome.exe 35 PID 580 wrote to memory of 1540 580 chrome.exe 36 PID 580 wrote to memory of 1540 580 chrome.exe 36 PID 580 wrote to memory of 1540 580 chrome.exe 36 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37 PID 580 wrote to memory of 1752 580 chrome.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe"C:\Users\Admin\AppData\Local\Temp\1602395865ab78a9e84d8cd9b9b948d4be8e48573feb25e07f16ff3d8043d888.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d97783⤵PID:2124
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:1836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:23⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1068 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:83⤵PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:83⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:23⤵PID:2540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1396 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1260,i,4894041000687731824,16503246910447983126,131072 /prefetch:83⤵PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsAFHDAEGHDG.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\DocumentsAFHDAEGHDG.exe"C:\Users\Admin\DocumentsAFHDAEGHDG.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\1005956001\fc89025b7e.exe"C:\Users\Admin\AppData\Local\Temp\1005956001\fc89025b7e.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1092 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7469758,0x7fef7469768,0x7fef74697787⤵PID:772
-
-
C:\Windows\system32\ctfmon.exectfmon.exe7⤵PID:2456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1232 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:27⤵PID:2436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:87⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:87⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1060 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:17⤵
- Uses browser remote debugging
PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:17⤵
- Uses browser remote debugging
PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2812 --field-trial-handle=1008,i,8914544947599784858,18126291564772934413,131072 /prefetch:27⤵PID:1184
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"5⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 12046⤵
- Program crash
PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006169001\63500a1c2f.exe"C:\Users\Admin\AppData\Local\Temp\1006169001\63500a1c2f.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 11806⤵
- Program crash
PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006170001\984efb6da5.exe"C:\Users\Admin\AppData\Local\Temp\1006170001\984efb6da5.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2368
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:356
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5c806c4473f82ec409d0d01281513adc3
SHA1a2a0d2dea8fb5429c8eb339d7504936db8b7ed95
SHA25692cd61a571d3eb9dbff4319c293faf68a9a0960bd7efac19cd413df10d0b325a
SHA512febbaad04eaa215c13f624905fa79c93f04057432895a67e93a41343fcbd02da3424713c62b068429d75a6833981c54f1dfa2df81d9d5ec891ab40fdd5bb2895
-
Filesize
40B
MD5ade370d72a5e4a9155639bd6aa7522f6
SHA11f3fd4c8c7c358053efb7a665155bfced357badf
SHA2563fa4c0d6a158c0cf88ab17ad09018739515eefc3ff31bffff3414cd50c4a73cb
SHA5125723284b5ac7e7c953f0582598d34b302ce620bcd0f9a4261bc364ce033669eaaee298c47f4a17940710f3e656c7e160c0dc0638b839317e7221427332ef076d
-
Filesize
44KB
MD5f0f87670a5826a06776570a5bfc5205b
SHA18194d41c504e22441a8bedd3821898b7e0d2bb1a
SHA25628d3c231183252c7f6f7f2d944873ca1976861b55e97f930c99881f642fb10be
SHA5123aa730fea2f9afadafec87daf4428ab6fd0384c41779bd9443315218938df320e1d4fcdb5c6d51835bb9933fa962571e85a53568839a82df49f3d41c0512c86a
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
136B
MD54a6f392496f299a9c6811213ffe559e9
SHA1e7555fe68f3d9f86ee653e939e69881aa27eaa82
SHA2567d65a4652fdae998bde558b165f59e1ee29036a8c61b2e4b4d3ab5133b25c76a
SHA5122469dc74f0188eb311167409e8218ac1148766ce0c5c9d763fa53332bdc67b8622dc883ae5c0bc3712eae656db222a13bb956328cc00cc206278d8d9a2e7c4af
-
Filesize
50B
MD51be22f40a06c4e7348f4e7eaf40634a9
SHA18205ec74cd32ef63b1cc274181a74b95eedf86df
SHA25645a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691
SHA512b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
136B
MD531c5074db88c67fdcde2f2dde70dbb42
SHA17a79c47e8e56a42fd9254ffc28051cb7f200cd20
SHA256fc78fe8fcfa44b6f577d77eb79f3a803eb01b89b7c5e8500d0a633927b3a1d3d
SHA51251a69755550d9008e5498d897a42a9520089e520bc41aac704a5febe73c2cdc7b19f811b5a3221413fbc8365ec271403297701c1dc4cd8d94a5cc7caf749d167
-
Filesize
19B
MD5e556f26df3e95c19dbaeca8f5df0c341
SHA1247a89f0557fc3666b5173833db198b188f3aa2e
SHA256b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3
SHA512055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e
-
Filesize
247B
MD5e108fa3c65227bb4f52103b63d929f24
SHA1c29ec52d12690a0ef225a7c7135696c975d4f6b2
SHA256b0d6726062a05e3196a53bc17863415c4104dd993039a6d1efe88c29bbf49987
SHA512490da85cf21d06e66c89662b2b7f47218f329787327a5f7a3191d2487669f8105324c6d64d28ed9383073b01bb4a8b68ad0547ead89d992138af739777a98c18
-
Filesize
90B
MD5b6d5d86412551e2d21c97af6f00d20c3
SHA1543302ae0c758954e222399987bb5e364be89029
SHA256e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191
SHA5125b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665
-
Filesize
136B
MD518593a8807afa1a678f87913a3eef4de
SHA1d64d04acd8918f46c921128145a2e9fc41c2265f
SHA256e42b461c4531bcad9695c3364d8e1e6a90c849953c3c3cf6bbfff92362b27bf7
SHA5128ae70b06ae89c957e960c9c45cf2fa1967cfba8c7d402f60b8387c696dcb7526a8afa47f526bca0894708949a5bd57a8ed4c862409ce5b9e3b57501deb7336ce
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
Filesize107B
MD522b937965712bdbc90f3c4e5cd2a8950
SHA125a5df32156e12134996410c5f7d9e59b1d6c155
SHA256cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1KB
MD5f231183c8cee419e238331ae29c92a98
SHA1f0fa6ac241682a347e89756f067bb2e5291cf4b3
SHA256de595f7b8b66ee9038ae22362dc99cb0c155862d5003c05abbf522dd18c3b97e
SHA512415214365e69d403b78817e9dbb7333a52eaf645da50479e25c1e6e950049f715c09eb58d202c59aa617a856f10874072e8fde41db55b0538ce9230930febb94
-
Filesize
2KB
MD5ca394f45caba769a4cad4c83d6697927
SHA1c211e9e64855c287f175ed34a1c8efa5c619cd59
SHA2566ac4bf743644b04e1e726148d07645ab8ea45e4ad39330731fcdf6dbc47c1542
SHA512a04d7ec03798841b8df4480bf8e4cd1df6e16ce89492a4a7b6347d19c296f814e6aa077aed689ec8ba7189cd2cfc0691b70132b6ecacbf28ca9d6d51675ea061
-
Filesize
250B
MD5803c5d7b764b369c3ad484b8b84c8cc7
SHA15418ba21bd2360909d3f8f014426f772b3a154b2
SHA25633cad4e1a163a957b4bb80d1cf6d14af0ad491d5a71e3275054c658af52e670a
SHA51284eab5b937eed5088a5fb77fb033e9856eac2bd6e48a51f948580fcd726625e9b85e96759ca17276303884e6fc40bb48a757e22ec857bee5cdd1cf9c336beb3e
-
Filesize
250B
MD5f3e5497105538916a4a27e319681c079
SHA11b92c17f1ba7e66ea9058eebfb21dba1acd840fc
SHA256697b7d0935fef557c883d53fc8cecb0567c652b495e645d609180b06a43ae9da
SHA512c9aa65f6f740f04bf8e60a04da403bd5e8fe7f3c219444d94ae0afa17c8fb7f3d742a9ea3fa69e538616d4610b151b3cd9cf0dbc568cedaa1c42736ef796c0ee
-
Filesize
485B
MD5018db1ba3d03249ceaa62ee2754d021d
SHA12fdfc237ae1a367855dad135b0ede1707a28d4c7
SHA256c8a39850f1f9dfd1bdcbd871f564dc9673a05c1c8ca6625cd0d7516910053b69
SHA512bca5477590243b9165fcdd66256de97bd754832fe766fb32cb1b3524ec3ab4f67fd0e1e2ff3ca3adec148c37510b057315b4aaf1cde9729d9d2954fe8da75400
-
Filesize
57B
MD550e0a00e9e3eca5dd3e80d3e6e8b8eb6
SHA1f0afa409c7ab927938c8dedf7e57c0f355103cba
SHA2567c820f099ace6ab1f6694f5b610412ce0cd81c64a500bc8558ae5ff9042a9c8c
SHA5127834f7052e6d21e6aba4b5445b555103bfb9f1e04457a5aa7363918e97e0d7dfd0e08a9136c377600fd3a1c8818296b76e9eb09c7217b4e8b9229bb81689a79e
-
Filesize
249B
MD55f862fa4855f72e57fbf0b2052e4b60d
SHA1f0551ba43216e6a81a79ab1ba14266f2c6bfd817
SHA256b02237e148771c8f6c323b22d7e9552b5a7ef714b28dfc3fd827e5e67909ad1d
SHA512dc64944fe484af2300078cdd8e594960652ec3abaa46db726e6b40873106a11bf703260b50a3721d286e1681baffb3a90cd68e13dc6b436f5d66d26c1da0e2f7
-
Filesize
98B
MD5cce6d9e0a2fca760e3a7904fca2fa80b
SHA1b637051510893c6688ef301bd59532f3255b3a01
SHA2567833d6eb2a94306bd3d04cf593243cda062e5deb67528a767a43f42d8a12e159
SHA51217740ac23a35c466429bd338214cff75d51321a95eac7785e3ff2b5597a1d6cc01a52bdfbd4143b0510affd86b4a892a6f0d337d057ee464d788abd8a4b7b2f7
-
Filesize
318B
MD52854f9012a7849465fa6884c95bc80c1
SHA1d5ae643491e22adf36a57a3d92292cdf1f489881
SHA256e08ceec97680bfb09b5f08a92b1d39608dba72b4c60c0180ddba02648df11d52
SHA512e5520c9cfd41a2affaeb6bfaa326be2085593ed20f31b662a7611acb786f41b692c6bb267f0e24292ae5806068c4279afa77f8ca09b028eba13d0c5baced6412
-
Filesize
34B
MD5fe62c64b5b3d092170445d5f5230524e
SHA10e27b930da78fce26933c18129430816827b66d3
SHA2561e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
249B
MD5f60ad0bfae1f7c7850c5a242b2ba9c95
SHA1c4a7277ca2fc7b051cd1e8934f8094bc72e6e38b
SHA2566bccc6c1f96465a89e847e1e91efbe3a21ab121dd16d7af2cd36271e99d41435
SHA512a487eb0b9c8f49b3890fdf6c9d9feedc310bfe467b420d62b0b8a1a1013378232cd17eae822d18e11aaa2069b1382e704f920c1a2111c0df9d35e0792f434a3e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
Filesize118B
MD5d757e9f525200060aefbd2e00bc69809
SHA1ae551809c3435fe3e6716b76dc23b7294189b4ce
SHA256729406f9e7c1e50d927d0c6916ee0a97eaa26c46e6cdecef7580e61b8c0dfe20
SHA51250c15062061f449952bda82a8b0cd4bafe6f3f434f642fadb8017e65c09886bb4d0b52967c80f8fa380447c63d79b6518f605a3efe7d8eea40c2dbbaa0d41953
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
177KB
MD5b15a85929c377b31a714b6e2a2294398
SHA1d02aaf969119f680d1e37a6a0326a1a73343f38a
SHA25606740ac7d1278061ba7aaa49b7b0547dce717b70b9264caab5f6db423b719fcb
SHA512cc43f632ace2efc07a8fb205a35fcedac49c0150d4a6a926cefd5ee265dc76daa51bb54c4e3acba6cf601bbcff455dec7a2a2d54e88f8a6d7c246ea1e19ce4b0
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4.2MB
MD5a7e41df2cb4730c2e9b4cc777e99df77
SHA120e33d9967a4b927692bc5b1809c1aad790542eb
SHA2565713f57c3f457cb7bc70b6495bc94737c1d6a608dbfd4411bcc7437246eb66cf
SHA512c38a2591fb36e56b06ee983e9df5e90f9354dce860dabd3561d6358476284bb4de74e29f84cd2db11ec026bd901abc4c923ee18b39f596de9db7798e6da42439
-
Filesize
33.3MB
MD58fb77810c61e160a657298815346996e
SHA14268420571bb1a858bc6a9744c0742d6fd738a83
SHA256a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2
-
Filesize
1.8MB
MD55b015748645c5df44a771f9fc6e136c3
SHA1bf34d4e66f4210904be094e256bd42af8cb69a13
SHA256622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909
SHA512026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302
-
Filesize
3.1MB
MD5a129ada197c203ab5c29a3ebd6bbad8d
SHA1f9d8cbac2e40e018d5e747229c65c3dc7bfb0319
SHA25632dda44489d303e0f6b99a3373c146870a398db3b05891bfd3eb6161d8f40e9a
SHA512d9fff9e986de896b8df23f2ff2e7e750b7deabea996e3037d2eaf6139397bb21de9f593541eca8082a550d2e6cf23015a4fcd7bf9379c00871c916cbbb983ab4
-
Filesize
1.7MB
MD5e11f407e9906425f9f0358d0ecc56558
SHA1fe31800849a6fc0d696b4e400c3f3a04e81f7bc7
SHA25662a1bfbbef4cba2bf00dd74cc162b1326b63f8c7d1fbbe0beb1155894e12851b
SHA5121aaaf9f47fe7f188153563475ffa0f78d1f7b9d32221b405edde7d52ad1b040525fb07e0b49e8823b4e6bd8b109fc005fc6e107a9b894a8c19ea9ec68b30979b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.1MB
MD56a1bbfbdaf00c7e89cfe3ff42742c6d0
SHA145d20380b86f2225b04a71fa327d93f15652e656
SHA256655c0c7eeefd0da2176b56d1308ab26f0ef57999f02f93e8c3de743b9e3e714d
SHA5129099c08d8680231531be317402e75d6133877915b5069f9b649b2e6fbbbae54bc7b3cc8219f68d82a882713623f5fe2f43ea82a3cebd4939373f604dc422e15f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571