amadey | ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Size

2.8MB
MD5

5086ec6859f91dbf4e36bfffc4150e0a
SHA1

854c904a7d05f4d8bb2acde139ad87d7792ed251
SHA256

ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166
SHA512

ad7d1068f4d1f0a0a9c0f75ad280a53866fd3e181e51050263e11dff4b1fac67bcac3c253d4c9206c2e0f36bd10d49ed6d3a0c96fb72f17ddc29af87017660c6
SSDEEP

49152:g2RKpPXvqtDEvLXwCOHnfwpQ09nuXq8qjtoi:g2RaPXvw4jXwCafwNNuX1qR

Score

10^/10

amadey lumma 9c9aa5 discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

Extracted

Family

lumma

https://shineugler.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	04bccb6bee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	04bccb6bee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04bccb6bee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	gLcipkIV1EWwFPUd.exe

Executes dropped EXE 64 IoCs

pid	Process
2884	skotes.exe
1700	ShtrayEasy35.exe
2832	gLcipkIV1EWwFPUd.exe
1484	7DY2Zs9CvGT19JM3.exe
2808	uOF1plsARApBM4ay.exe
1364	iPpM1G1BBHjbph66.exe
7536	LPEuUWHrV714NF53.exe
7596	6zd8PHNy6ix7DJQO.exe
7644	64YphMAFVtKcUVST.exe
10604	YptMPmoPzmszGNfK.exe
11516	cayK9T0QnneMG0Si.exe
3156	ypfdBXxGjw6rGjnb.exe
4132	WkSfPTa7HRnvkyll.exe
4440	7RkenT9rwoL0QrS1.exe
4804	5Lh2GzElAy14kXnP.exe
5316	AYw9C9pNY92yke0S.exe
9172	FrgJ2W2DgY1kgJhl.exe
2120	xSXhcbfOnfbYVgG8.exe
12620	C0eD7dzCV9EOFWXE.exe
6192	sVeAAj6Wy1X8buPV.exe
3660	GbddNKAZDb6Ridna.exe
4996	v499daCaVejnY6Xo.exe
11248	PZcfd7NOtkHT7PLp.exe
11636	qS9OsxZmGKArawq8.exe
7252	6aGHq5htf4WzyfKr.exe
9884	A40fkKWld6w3sVop.exe
13956	vg15GCVjzOy0jV9i.exe
14108	0WYD3j1186lglcjo.exe
15208	JWlZO47n4fhVIiNt.exe
15148	VuankZSw1Wqh1koi.exe
15260	mS7sVqniVX5YzQU9.exe
15320	4PPm09L3HNuFbt9m.exe
10060	s0pMfJRzLhWsfJxE.exe
22068	mHPMAMwpGuXyelT6.exe
21688	myMwfXJJctUEnW8U.exe
3760	uCNklD5hr8oKOlEG.exe
19592	C2p8qYPz3YPjtw3E.exe
19756	TJYuyMRkLxFnGKlj.exe
19672	ULm0qbfdgz2lr9nj.exe
19836	f15FBqiF0I2QY92I.exe
16664	04bccb6bee.exe
13896	6OcR4SZdAyD6RNEG.exe
2228	KNRRDMSIfbvib8TV.exe
8128	mISX9vGjqDqVeO68.exe
14280	1xTtiVB99E6VYkzM.exe
2740	HFGfQ5BlAH073oL5.exe
8652	FQyVEjcDs9IIbipo.exe
10664	38FQSb25LLXlxNa0.exe
20396	NAxw9hRl0hkwi6gu.exe
14412	t6YC7yiCcnsNYVII.exe
14684	adZSL9mogYIcxHfr.exe
14140	KEMXO7UCl1VigwKH.exe
15424	tq9vsizjsf5TQmfV.exe
9668	qcf6k9NQZI8g8kBp.exe
7304	HR8657p00NN1GwAx.exe
11692	OeKudlLMAsderC8n.exe
4000	cdM44bbwNWnWgXbl.exe
9500	jGQfrZ9GR4aLqz7D.exe
2288	njqHzOw2t7HQiXDM.exe
2140	EYXsgXT9U03z3QHv.exe
3988	0TWsVPUpAfXD8pu9.exe
4108	azRxfj2Tf6PJpUEp.exe
8240	rFs6IkZlaK6djg16.exe
6408	dMih7aOiKYZ5sLdF.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	04bccb6bee.exe

Loads dropped DLL 64 IoCs

pid	Process
2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
2884	skotes.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
2832	gLcipkIV1EWwFPUd.exe
1700	ShtrayEasy35.exe
7508	WerFault.exe
7508	WerFault.exe
7508	WerFault.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
10512	WerFault.exe
10512	WerFault.exe
10512	WerFault.exe
7088	WerFault.exe
7088	WerFault.exe
7088	WerFault.exe
6660	WerFault.exe
6660	WerFault.exe
6660	WerFault.exe
11460	WerFault.exe
11460	WerFault.exe
11460	WerFault.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
10512	WerFault.exe
7088	WerFault.exe
7508	WerFault.exe
6660	WerFault.exe
11460	WerFault.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
6740	WerFault.exe
6740	WerFault.exe
6740	WerFault.exe
6740	WerFault.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
4192	WerFault.exe
4192	WerFault.exe
4192	WerFault.exe
8504	WerFault.exe
8504	WerFault.exe
8504	WerFault.exe
8504	WerFault.exe
4192	WerFault.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
1700	ShtrayEasy35.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
4236	WerFault.exe
4236	WerFault.exe
4236	WerFault.exe
1736	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WvsqHFj8\\gLcipkIV1EWwFPUd.exe"	gLcipkIV1EWwFPUd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
2884	skotes.exe
16664	04bccb6bee.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 34 IoCs

pid	pid_target	Process	procid_target
7508	2808	WerFault.exe	35
10512	2832	WerFault.exe	33
7088	1364	WerFault.exe	36
6660	7644	WerFault.exe	40
11460	10604	WerFault.exe	42
6740	4440	WerFault.exe	49
4192	9172	WerFault.exe	53
8504	5316	WerFault.exe	52
4404	2120	WerFault.exe	54
2664	6192	WerFault.exe	57
4236	4132	WerFault.exe	48
1736	1484	WerFault.exe	34
13704	4804	WerFault.exe	50
12368	3156	WerFault.exe	47
13908	3660	WerFault.exe	60
13988	9884	WerFault.exe	70
21084	4996	WerFault.exe	59
15080	11248	WerFault.exe	62
15096	7252	WerFault.exe	63
15392	7596	WerFault.exe	39
15436	13956	WerFault.exe	72
10328	12620	WerFault.exe	56
20620	11636	WerFault.exe	61
14876	7536	WerFault.exe	38
15760	19836	WerFault.exe	91
8916	15320	WerFault.exe	79
13828	15208	WerFault.exe	77
10672	2228	WerFault.exe	96
15628	15148	WerFault.exe	76
12544	20396	WerFault.exe	101
12564	19756	WerFault.exe	90
1872	22068	WerFault.exe	83
20280	13896	WerFault.exe	94
12432	14140	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FrgJ2W2DgY1kgJhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WkSfPTa7HRnvkyll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KNRRDMSIfbvib8TV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xSXhcbfOnfbYVgG8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sVeAAj6Wy1X8buPV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A40fkKWld6w3sVop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aGHq5htf4WzyfKr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gLcipkIV1EWwFPUd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f15FBqiF0I2QY92I.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7RkenT9rwoL0QrS1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6zd8PHNy6ix7DJQO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qS9OsxZmGKArawq8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JWlZO47n4fhVIiNt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GbddNKAZDb6Ridna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04bccb6bee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uOF1plsARApBM4ay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64YphMAFVtKcUVST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iPpM1G1BBHjbph66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YptMPmoPzmszGNfK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DY2Zs9CvGT19JM3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypfdBXxGjw6rGjnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C0eD7dzCV9EOFWXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4PPm09L3HNuFbt9m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v499daCaVejnY6Xo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AYw9C9pNY92yke0S.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5Lh2GzElAy14kXnP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PZcfd7NOtkHT7PLp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg15GCVjzOy0jV9i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LPEuUWHrV714NF53.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
2884	skotes.exe
1700	ShtrayEasy35.exe
2832	gLcipkIV1EWwFPUd.exe
1484	7DY2Zs9CvGT19JM3.exe
1484	7DY2Zs9CvGT19JM3.exe
1484	7DY2Zs9CvGT19JM3.exe
2808	uOF1plsARApBM4ay.exe
1364	iPpM1G1BBHjbph66.exe
2808	uOF1plsARApBM4ay.exe
1364	iPpM1G1BBHjbph66.exe
1364	iPpM1G1BBHjbph66.exe
1364	iPpM1G1BBHjbph66.exe
1364	iPpM1G1BBHjbph66.exe
2808	uOF1plsARApBM4ay.exe
2808	uOF1plsARApBM4ay.exe
2808	uOF1plsARApBM4ay.exe
7536	LPEuUWHrV714NF53.exe
7536	LPEuUWHrV714NF53.exe
7536	LPEuUWHrV714NF53.exe
7536	LPEuUWHrV714NF53.exe
7536	LPEuUWHrV714NF53.exe
7536	LPEuUWHrV714NF53.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7644	64YphMAFVtKcUVST.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe
7596	6zd8PHNy6ix7DJQO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2884	2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe	30
PID 2188 wrote to memory of 2884	2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe	30
PID 2188 wrote to memory of 2884	2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe	30
PID 2188 wrote to memory of 2884	2188	ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe	30
PID 2884 wrote to memory of 1700	2884	skotes.exe	32
PID 2884 wrote to memory of 1700	2884	skotes.exe	32
PID 2884 wrote to memory of 1700	2884	skotes.exe	32
PID 2884 wrote to memory of 1700	2884	skotes.exe	32
PID 1700 wrote to memory of 2832	1700	ShtrayEasy35.exe	33
PID 1700 wrote to memory of 2832	1700	ShtrayEasy35.exe	33
PID 1700 wrote to memory of 2832	1700	ShtrayEasy35.exe	33
PID 1700 wrote to memory of 2832	1700	ShtrayEasy35.exe	33
PID 1700 wrote to memory of 1484	1700	ShtrayEasy35.exe	34
PID 1700 wrote to memory of 1484	1700	ShtrayEasy35.exe	34
PID 1700 wrote to memory of 1484	1700	ShtrayEasy35.exe	34
PID 1700 wrote to memory of 1484	1700	ShtrayEasy35.exe	34
PID 1700 wrote to memory of 2808	1700	ShtrayEasy35.exe	35
PID 1700 wrote to memory of 2808	1700	ShtrayEasy35.exe	35
PID 1700 wrote to memory of 2808	1700	ShtrayEasy35.exe	35
PID 1700 wrote to memory of 2808	1700	ShtrayEasy35.exe	35
PID 1700 wrote to memory of 1364	1700	ShtrayEasy35.exe	36
PID 1700 wrote to memory of 1364	1700	ShtrayEasy35.exe	36
PID 1700 wrote to memory of 1364	1700	ShtrayEasy35.exe	36
PID 1700 wrote to memory of 1364	1700	ShtrayEasy35.exe	36
PID 2808 wrote to memory of 7508	2808	uOF1plsARApBM4ay.exe	37
PID 2808 wrote to memory of 7508	2808	uOF1plsARApBM4ay.exe	37
PID 2808 wrote to memory of 7508	2808	uOF1plsARApBM4ay.exe	37
PID 2808 wrote to memory of 7508	2808	uOF1plsARApBM4ay.exe	37
PID 1700 wrote to memory of 7536	1700	ShtrayEasy35.exe	38
PID 1700 wrote to memory of 7536	1700	ShtrayEasy35.exe	38
PID 1700 wrote to memory of 7536	1700	ShtrayEasy35.exe	38
PID 1700 wrote to memory of 7536	1700	ShtrayEasy35.exe	38
PID 1700 wrote to memory of 7596	1700	ShtrayEasy35.exe	39
PID 1700 wrote to memory of 7596	1700	ShtrayEasy35.exe	39
PID 1700 wrote to memory of 7596	1700	ShtrayEasy35.exe	39
PID 1700 wrote to memory of 7596	1700	ShtrayEasy35.exe	39
PID 1700 wrote to memory of 7644	1700	ShtrayEasy35.exe	40
PID 1700 wrote to memory of 7644	1700	ShtrayEasy35.exe	40
PID 1700 wrote to memory of 7644	1700	ShtrayEasy35.exe	40
PID 1700 wrote to memory of 7644	1700	ShtrayEasy35.exe	40
PID 2832 wrote to memory of 10512	2832	gLcipkIV1EWwFPUd.exe	41
PID 2832 wrote to memory of 10512	2832	gLcipkIV1EWwFPUd.exe	41
PID 2832 wrote to memory of 10512	2832	gLcipkIV1EWwFPUd.exe	41
PID 2832 wrote to memory of 10512	2832	gLcipkIV1EWwFPUd.exe	41
PID 1700 wrote to memory of 10604	1700	ShtrayEasy35.exe	42
PID 1700 wrote to memory of 10604	1700	ShtrayEasy35.exe	42
PID 1700 wrote to memory of 10604	1700	ShtrayEasy35.exe	42
PID 1700 wrote to memory of 10604	1700	ShtrayEasy35.exe	42
PID 7644 wrote to memory of 6660	7644	64YphMAFVtKcUVST.exe	43
PID 7644 wrote to memory of 6660	7644	64YphMAFVtKcUVST.exe	43
PID 7644 wrote to memory of 6660	7644	64YphMAFVtKcUVST.exe	43
PID 7644 wrote to memory of 6660	7644	64YphMAFVtKcUVST.exe	43
PID 1364 wrote to memory of 7088	1364	iPpM1G1BBHjbph66.exe	44
PID 1364 wrote to memory of 7088	1364	iPpM1G1BBHjbph66.exe	44
PID 1364 wrote to memory of 7088	1364	iPpM1G1BBHjbph66.exe	44
PID 1364 wrote to memory of 7088	1364	iPpM1G1BBHjbph66.exe	44
PID 10604 wrote to memory of 11460	10604	YptMPmoPzmszGNfK.exe	45
PID 10604 wrote to memory of 11460	10604	YptMPmoPzmszGNfK.exe	45
PID 10604 wrote to memory of 11460	10604	YptMPmoPzmszGNfK.exe	45
PID 10604 wrote to memory of 11460	10604	YptMPmoPzmszGNfK.exe	45
PID 1700 wrote to memory of 11516	1700	ShtrayEasy35.exe	46
PID 1700 wrote to memory of 11516	1700	ShtrayEasy35.exe	46
PID 1700 wrote to memory of 11516	1700	ShtrayEasy35.exe	46
PID 1700 wrote to memory of 11516	1700	ShtrayEasy35.exe	46

C:\Users\Admin\AppData\Local\Temp\ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
"C:\Users\Admin\AppData\Local\Temp\ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\WvsqHFj8\gLcipkIV1EWwFPUd.exe
      C:\Users\Admin\AppData\Local\Temp\WvsqHFj8\gLcipkIV1EWwFPUd.exe 1700
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 232
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:10512
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\7DY2Zs9CvGT19JM3.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\7DY2Zs9CvGT19JM3.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 264
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\uOF1plsARApBM4ay.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\uOF1plsARApBM4ay.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 220
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:7508
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\iPpM1G1BBHjbph66.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\iPpM1G1BBHjbph66.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 220
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:7088
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\LPEuUWHrV714NF53.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\LPEuUWHrV714NF53.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 268
        5⤵
        Program crash
        
        PID:14876
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6zd8PHNy6ix7DJQO.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6zd8PHNy6ix7DJQO.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 248
        5⤵
        Program crash
        
        PID:15392
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\64YphMAFVtKcUVST.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\64YphMAFVtKcUVST.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:7644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:6660
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\YptMPmoPzmszGNfK.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\YptMPmoPzmszGNfK.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:10604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10604 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:11460
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\cayK9T0QnneMG0Si.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\cayK9T0QnneMG0Si.exe 1700
      4⤵
      Executes dropped EXE
      PID:11516
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ypfdBXxGjw6rGjnb.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ypfdBXxGjw6rGjnb.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 240
        5⤵
        Program crash
        
        PID:12368
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\WkSfPTa7HRnvkyll.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\WkSfPTa7HRnvkyll.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 256
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\7RkenT9rwoL0QrS1.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\7RkenT9rwoL0QrS1.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 248
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:6740
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\5Lh2GzElAy14kXnP.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\5Lh2GzElAy14kXnP.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 224
        5⤵
        Program crash
        
        PID:13704
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\AYw9C9pNY92yke0S.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\AYw9C9pNY92yke0S.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 268
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:8504
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\FrgJ2W2DgY1kgJhl.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\FrgJ2W2DgY1kgJhl.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:9172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9172 -s 256
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\xSXhcbfOnfbYVgG8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\xSXhcbfOnfbYVgG8.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 252
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\C0eD7dzCV9EOFWXE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\C0eD7dzCV9EOFWXE.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:12620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12620 -s 296
        5⤵
        Program crash
        
        PID:10328
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\sVeAAj6Wy1X8buPV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\sVeAAj6Wy1X8buPV.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 260
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\v499daCaVejnY6Xo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\v499daCaVejnY6Xo.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 272
        5⤵
        Program crash
        
        PID:21084
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\GbddNKAZDb6Ridna.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\GbddNKAZDb6Ridna.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 284
        5⤵
        Program crash
        
        PID:13908
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\qS9OsxZmGKArawq8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\qS9OsxZmGKArawq8.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:11636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11636 -s 284
        5⤵
        Program crash
        
        PID:20620
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\PZcfd7NOtkHT7PLp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\PZcfd7NOtkHT7PLp.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:11248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11248 -s 264
        5⤵
        Program crash
        
        PID:15080
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6aGHq5htf4WzyfKr.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6aGHq5htf4WzyfKr.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 280
        5⤵
        Program crash
        
        PID:15096
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\A40fkKWld6w3sVop.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\A40fkKWld6w3sVop.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:9884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9884 -s 224
        5⤵
        Program crash
        
        PID:13988
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\vg15GCVjzOy0jV9i.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\vg15GCVjzOy0jV9i.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:13956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13956 -s 272
        5⤵
        Program crash
        
        PID:15436
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\0WYD3j1186lglcjo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\0WYD3j1186lglcjo.exe 1700
      4⤵
      Executes dropped EXE
      PID:14108
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\VuankZSw1Wqh1koi.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\VuankZSw1Wqh1koi.exe 1700
      4⤵
      Executes dropped EXE
      PID:15148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15148 -s 276
        5⤵
        Program crash
        
        PID:15628
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\JWlZO47n4fhVIiNt.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\JWlZO47n4fhVIiNt.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:15208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15208 -s 264
        5⤵
        Program crash
        
        PID:13828
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mS7sVqniVX5YzQU9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mS7sVqniVX5YzQU9.exe 1700
      4⤵
      Executes dropped EXE
      PID:15260
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4PPm09L3HNuFbt9m.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4PPm09L3HNuFbt9m.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:15320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15320 -s 248
        5⤵
        Program crash
        
        PID:8916
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\s0pMfJRzLhWsfJxE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\s0pMfJRzLhWsfJxE.exe 1700
      4⤵
      Executes dropped EXE
      PID:10060
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mHPMAMwpGuXyelT6.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mHPMAMwpGuXyelT6.exe 1700
      4⤵
      Executes dropped EXE
      PID:22068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 22068 -s 268
        5⤵
        Program crash
        
        PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\myMwfXJJctUEnW8U.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\myMwfXJJctUEnW8U.exe 1700
      4⤵
      Executes dropped EXE
      PID:21688
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\uCNklD5hr8oKOlEG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\uCNklD5hr8oKOlEG.exe 1700
      4⤵
      Executes dropped EXE
      PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\C2p8qYPz3YPjtw3E.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\C2p8qYPz3YPjtw3E.exe 1700
      4⤵
      Executes dropped EXE
      PID:19592
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ULm0qbfdgz2lr9nj.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ULm0qbfdgz2lr9nj.exe 1700
      4⤵
      Executes dropped EXE
      PID:19672
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\TJYuyMRkLxFnGKlj.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\TJYuyMRkLxFnGKlj.exe 1700
      4⤵
      Executes dropped EXE
      PID:19756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 19756 -s 284
        5⤵
        Program crash
        
        PID:12564
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\f15FBqiF0I2QY92I.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\f15FBqiF0I2QY92I.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:19836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 19836 -s 180
        5⤵
        Program crash
        
        PID:15760
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mISX9vGjqDqVeO68.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mISX9vGjqDqVeO68.exe 1700
      4⤵
      Executes dropped EXE
      PID:8128
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6OcR4SZdAyD6RNEG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6OcR4SZdAyD6RNEG.exe 1700
      4⤵
      Executes dropped EXE
      PID:13896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13896 -s 308
        5⤵
        Program crash
        
        PID:20280
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\1xTtiVB99E6VYkzM.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\1xTtiVB99E6VYkzM.exe 1700
      4⤵
      Executes dropped EXE
      PID:14280
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\KNRRDMSIfbvib8TV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\KNRRDMSIfbvib8TV.exe 1700
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 304
        5⤵
        Program crash
        
        PID:10672
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HFGfQ5BlAH073oL5.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HFGfQ5BlAH073oL5.exe 1700
      4⤵
      Executes dropped EXE
      PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\FQyVEjcDs9IIbipo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\FQyVEjcDs9IIbipo.exe 1700
      4⤵
      Executes dropped EXE
      PID:8652
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\38FQSb25LLXlxNa0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\38FQSb25LLXlxNa0.exe 1700
      4⤵
      Executes dropped EXE
      PID:10664
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\t6YC7yiCcnsNYVII.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\t6YC7yiCcnsNYVII.exe 1700
      4⤵
      Executes dropped EXE
      PID:14412
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\NAxw9hRl0hkwi6gu.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\NAxw9hRl0hkwi6gu.exe 1700
      4⤵
      Executes dropped EXE
      PID:20396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 20396 -s 312
        5⤵
        Program crash
        
        PID:12544
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\adZSL9mogYIcxHfr.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\adZSL9mogYIcxHfr.exe 1700
      4⤵
      Executes dropped EXE
      PID:14684
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\KEMXO7UCl1VigwKH.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\KEMXO7UCl1VigwKH.exe 1700
      4⤵
      Executes dropped EXE
      PID:14140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14140 -s 340
        5⤵
        Program crash
        
        PID:12432
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\tq9vsizjsf5TQmfV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\tq9vsizjsf5TQmfV.exe 1700
      4⤵
      Executes dropped EXE
      PID:15424
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\OeKudlLMAsderC8n.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\OeKudlLMAsderC8n.exe 1700
      4⤵
      Executes dropped EXE
      PID:11692
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\qcf6k9NQZI8g8kBp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\qcf6k9NQZI8g8kBp.exe 1700
      4⤵
      Executes dropped EXE
      PID:9668
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\cdM44bbwNWnWgXbl.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\cdM44bbwNWnWgXbl.exe 1700
      4⤵
      Executes dropped EXE
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HR8657p00NN1GwAx.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HR8657p00NN1GwAx.exe 1700
      4⤵
      Executes dropped EXE
      PID:7304
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\jGQfrZ9GR4aLqz7D.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\jGQfrZ9GR4aLqz7D.exe 1700
      4⤵
      Executes dropped EXE
      PID:9500
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\njqHzOw2t7HQiXDM.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\njqHzOw2t7HQiXDM.exe 1700
      4⤵
      Executes dropped EXE
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\EYXsgXT9U03z3QHv.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\EYXsgXT9U03z3QHv.exe 1700
      4⤵
      Executes dropped EXE
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\0TWsVPUpAfXD8pu9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\0TWsVPUpAfXD8pu9.exe 1700
      4⤵
      Executes dropped EXE
      PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\dMih7aOiKYZ5sLdF.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\dMih7aOiKYZ5sLdF.exe 1700
      4⤵
      Executes dropped EXE
      PID:6408
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\azRxfj2Tf6PJpUEp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\azRxfj2Tf6PJpUEp.exe 1700
      4⤵
      Executes dropped EXE
      PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\j1BbSuF4woILh9tI.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\j1BbSuF4woILh9tI.exe 1700
      4⤵
      PID:12744
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\rFs6IkZlaK6djg16.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\rFs6IkZlaK6djg16.exe 1700
      4⤵
      Executes dropped EXE
      PID:8240
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\nu4PBr4eJUhQ4QOD.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\nu4PBr4eJUhQ4QOD.exe 1700
      4⤵
      PID:15228
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\LND3O9DMMjcUxqJy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\LND3O9DMMjcUxqJy.exe 1700
      4⤵
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\59FhlMNrHmRqRJlM.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\59FhlMNrHmRqRJlM.exe 1700
      4⤵
      PID:10208
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\OEdTCxD4uyrOcSxX.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\OEdTCxD4uyrOcSxX.exe 1700
      4⤵
      PID:13572
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8jsIt5GDBWGmnN4Z.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8jsIt5GDBWGmnN4Z.exe 1700
      4⤵
      PID:10780
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mj1AESOBDp0qnqm4.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mj1AESOBDp0qnqm4.exe 1700
      4⤵
      PID:19516
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\N9Bdqme8cUA3QZJ8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\N9Bdqme8cUA3QZJ8.exe 1700
      4⤵
      PID:10172
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\UGLJk6phAehGkBiQ.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\UGLJk6phAehGkBiQ.exe 1700
      4⤵
      PID:20484
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\uNfRXM2b7fveKcdR.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\uNfRXM2b7fveKcdR.exe 1700
      4⤵
      PID:13004
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\E1KPvmqgmEjfayCE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\E1KPvmqgmEjfayCE.exe 1700
      4⤵
      PID:18336
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\JUOFUpUd9ZR7Wm9m.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\JUOFUpUd9ZR7Wm9m.exe 1700
      4⤵
      PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\PM0RjuW4DN379vth.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\PM0RjuW4DN379vth.exe 1700
      4⤵
      PID:19732
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8AslS5SrkvrhJOcT.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8AslS5SrkvrhJOcT.exe 1700
      4⤵
      PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\blYvzQL7EhY4RgvY.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\blYvzQL7EhY4RgvY.exe 1700
      4⤵
      PID:20560
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2srKZWbALsflrhod.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2srKZWbALsflrhod.exe 1700
      4⤵
      PID:16404
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\vvLfJ4PJ4rAukxSo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\vvLfJ4PJ4rAukxSo.exe 1700
      4⤵
      PID:9064
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\V9dkZXaCnr9NCRW9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\V9dkZXaCnr9NCRW9.exe 1700
      4⤵
      PID:10360
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\d78HDPuctz02rjDc.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\d78HDPuctz02rjDc.exe 1700
      4⤵
      PID:16420
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\N2tW5C54Mq5bC6OV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\N2tW5C54Mq5bC6OV.exe 1700
      4⤵
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\kgXLuFKqsLzXGURp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\kgXLuFKqsLzXGURp.exe 1700
      4⤵
      PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\aQGpMyOc70o8yXG7.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\aQGpMyOc70o8yXG7.exe 1700
      4⤵
      PID:21976
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\NM6lnpeR5caHnH8t.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\NM6lnpeR5caHnH8t.exe 1700
      4⤵
      PID:12440
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\hyZRTOJgSjGbQoff.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\hyZRTOJgSjGbQoff.exe 1700
      4⤵
      PID:20272
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\nBFXTtP1BZf7MPp0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\nBFXTtP1BZf7MPp0.exe 1700
      4⤵
      PID:17580
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\3f60RB0ig0RM0c8u.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\3f60RB0ig0RM0c8u.exe 1700
      4⤵
      PID:7736
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\GvKfEwO8spEvLGnN.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\GvKfEwO8spEvLGnN.exe 1700
      4⤵
      PID:26052
- - C:\Users\Admin\AppData\Local\Temp\1015581001\04bccb6bee.exe
    "C:\Users\Admin\AppData\Local\Temp\1015581001\04bccb6bee.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:16664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015581001\04bccb6bee.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015582001\2de121d283.exe

Filesize
288KB

MD5
3942ab10de31d4e6d96b70c42ec68640

SHA1
8db80b8bfb1bab3107007e3ed7b162e5ada79cec

SHA256
55bd6e8bc4a28c21c9e4f557a250d971991c58b234229a1388893655cb6ea125

SHA512
c5e285a7c9199a0e8bdd645984f7ae0786481d790e0b5df050e0b8c1501392244f296a2bd0ddaa03a2c0a9aa8e2e34b328ccdc0329d680ac752844120279395a

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.8MB

MD5
5086ec6859f91dbf4e36bfffc4150e0a

SHA1
854c904a7d05f4d8bb2acde139ad87d7792ed251

SHA256
ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166

SHA512
ad7d1068f4d1f0a0a9c0f75ad280a53866fd3e181e51050263e11dff4b1fac67bcac3c253d4c9206c2e0f36bd10d49ed6d3a0c96fb72f17ddc29af87017660c6

Download Submit
memory/2188-1-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/2188-2-0x0000000001021000-0x000000000104F000-memory.dmp

Filesize
184KB

Download
memory/2188-3-0x0000000001020000-0x0000000001325000-memory.dmp

Filesize
3.0MB

Download
memory/2188-4-0x0000000001020000-0x0000000001325000-memory.dmp

Filesize
3.0MB

Download
memory/2188-5-0x0000000001020000-0x0000000001325000-memory.dmp

Filesize
3.0MB

Download
memory/2188-18-0x0000000001020000-0x0000000001325000-memory.dmp

Filesize
3.0MB

Download
memory/2188-0-0x0000000001020000-0x0000000001325000-memory.dmp

Filesize
3.0MB

Download
memory/2884-276-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-346-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-26-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-28-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-30-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-23-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-151-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-199-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-222-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-22-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-21-0x0000000000201000-0x000000000022F000-memory.dmp

Filesize
184KB

Download
memory/2884-20-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-345-0x0000000006E90000-0x000000000731B000-memory.dmp

Filesize
4.5MB

Download
memory/2884-576-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-347-0x0000000006E90000-0x000000000731B000-memory.dmp

Filesize
4.5MB

Download
memory/2884-25-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-546-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-567-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-558-0x0000000006E90000-0x000000000731B000-memory.dmp

Filesize
4.5MB

Download
memory/2884-550-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-552-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/2884-554-0x0000000006E90000-0x000000000731B000-memory.dmp

Filesize
4.5MB

Download
memory/2884-559-0x0000000000200000-0x0000000000505000-memory.dmp

Filesize
3.0MB

Download
memory/16664-374-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-553-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-551-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-557-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-545-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-570-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-348-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download
memory/16664-600-0x0000000000120000-0x00000000005AB000-memory.dmp

Filesize
4.5MB

Download