Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
254s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/01/2025, 18:01
General
-
Target
https://www.dropbox.com/scl/fi/5xgphf3srvo005sux8d56/MasterKeyX_Pro.zip?rlkey=ydmy472krtm9tci80mfhpivo6&st=wc5mzc5m&dl=1
Malware Config
Extracted
vidar
https://t.me/sc1phell
https://steamcommunity.com/profiles/76561199819539662
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Extracted
lumma
https://toppyneedus.biz/api
Signatures
-
Detect Vidar Stealer 2 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.dropbox.com/scl/fi/5xgphf3srvo005sux8d56/MasterKeyX_Pro.zip?rlkey=ydmy472krtm9tci80mfhpivo6&st=wc5mzc5m&dl=11⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad86346f8,0x7ffad8634708,0x7ffad86347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7096 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14014663487851438143,4417658138694710164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16451:90:7zEvent321411⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8328:88:7zEvent167961⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Manual.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Readme.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\MarineAquarium3.exe"C:\Users\Admin\Downloads\MarineAquarium3.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-3PBKR.tmp\MarineAquarium3.tmp"C:\Users\Admin\AppData\Local\Temp\is-3PBKR.tmp\MarineAquarium3.tmp" /SL5="$F023C,4133510,798720,C:\Users\Admin\Downloads\MarineAquarium3.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\MarineAquarium3.scr"C:\Windows\system32\MarineAquarium3.scr" -register3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\MasterKeyX_Pro_v4.3.exe"C:\Users\Admin\Downloads\MasterKeyX_Pro_v4.3.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\SereneScreen\Marine Aquarium 3\MasterKeyX_Pro_v4.3.exe"C:\Program Files (x86)\SereneScreen\Marine Aquarium 3\MasterKeyX_Pro_v4.3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\SereneScreen\Marine Aquarium 3\MasterKeyX_Pro_v4.3.exe"C:\Program Files (x86)\SereneScreen\Marine Aquarium 3\MasterKeyX_Pro_v4.3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
-
C:\Windows\System32\MarineAquarium3.scr"C:\Windows\System32\MarineAquarium3.scr" /S1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
734B
MD5e192462f281446b5d1500d474fbacc4b
SHA15ed0044ac937193b78f9878ad7bac5c9ff7534ff
SHA256f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60
SHA512cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3
-
Filesize
345B
MD50a4ccb656ca61bbc3dd96fb409d76ff1
SHA14338ba76cba7e2bde6722dece301e0ee17ee8f78
SHA256b046c3cbd4c9e0a8296840dc610469bab5cb561afbcf63bffb330f09c23c51db
SHA51299904a49f6389a9acebb4196a4885ee5f962958776199f40972406379dbe74c00df50e5fbb7de3b58ffe5cb59878c13c165fac6bd9db087c0a369a61a1c36593
-
Filesize
192B
MD5fecc1788e505296111aab20b0b0371a8
SHA18ebeb5844c40ef0ab5f8ba42464e70ad9c2d2644
SHA25660c05696c9248b3afd9825b4b9f7e4099d1db25e625685fe1fe04e5c77ecd154
SHA5120ed4ffa0045537bc2ee0b65094e96e0f990f25abec40fa388e55e26d9c1d359209c37637a688a309cd0017b2174ab17d91fc56ba425de185aeddfe63ca007bea
-
Filesize
544B
MD5bdb95bf0fd4deedeb88f82740c56b505
SHA106ba94ad32633a8885583e8d44aab394ff97e8e7
SHA25677a8f5ec5229a0c4b90acfeac42dc4b3516eb2b6be4c34c3564eb32bbfe38fde
SHA51223fe97c160c268f1bf4185b945dcd7423a639e30ab5dc765833b0f5110dc147e3604d692182e36d9371ecd4ffa2a7d302839e078396eaefe1b047351d6fdc454
-
Filesize
1KB
MD5659a2e9e8ca92b3f89056c85c82f51c6
SHA1bdf8452b0cb5aa2f37826f9af8e3182331ecd0c0
SHA256ce68b74bfb3a2bc831aa381058a7e50580e4745ad53e2b17177d98dc541ff3e0
SHA512376be6ac8c7619ae906098c53d136c8045559f1d71b4468fe643c40b504151cfaba139ac275aa0f1a209aa4dff75a4776080b89c8771a4ede8f509e310243b4f
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
215KB
MD57b49e7ed72d5c3ab75ea4aa12182314a
SHA11338fc8f099438e5465615ace45c245450f98c84
SHA256747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6
SHA5126edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985
-
Filesize
20KB
MD5a8174c9a4655557472047b71f38662de
SHA1bc82b31b0f7391e7a148e1f8192f6ac54ab83e06
SHA256e4a9f323df331aa8e398510bdbd05c08a1b28054651ee11e07faa37868d4e8c4
SHA512e954361a33dd9905bdee6fab500deee684eebe03ba6d9ce790add0e7b9021aa42b0b0eda9354d30ba63ca4557d2fb834138ef30d45cd67052e358e1643863826
-
Filesize
2KB
MD5c22a55304b695e7d31d6fefcb5417da5
SHA1d17c642bf441fc2838e36d55875bcf7c134d2764
SHA2567f4d1a9b8c0aba511c9d7a4d495b8b885752d7b5323163e4cdcbd312b0038660
SHA5120adfc18ec5956bcb9b2802dba7581173dc9638e17f8ffd2f4655fa979cc093c340fc50af695328b5205ad3e278e67e5152545b24a38aed6858ce74dd933c34d2
-
Filesize
2KB
MD599bbe21b75bbf43c922658b7f54ed8d2
SHA1b63a0eeecc07cb8723384bb3ce93cf6df2c0f195
SHA2568717ce730e93d89daa5061f8f9e03a3987f2ab860b39122de444ede20c3182cb
SHA5120a63d5c1d8d71bea269d2adbc3c7f79d3cd7bd7cc30594b142a87f20caa31a196a526a12be74a6b5db378dbd58f430234a7126b142712accaa760c8d5773b05c
-
Filesize
6KB
MD5a9d9eb9a9356f5c370b71e57ded6ad67
SHA1c94f4db1ee296832a6cd9f11432ccf92543afd88
SHA25619289694477b0bb5257d98692955f7a05c9afcdbdb15c0fb751159ea7f748b3f
SHA512ebae8b22ba77c49275cdf755acbb768319e4ac2a2a0ac00064a9f7d9cbca4f67a2f45f89d8f3b20294209ce7c66b9d764e2b85b2ff0bf8c4f8c9832052de5c6d
-
Filesize
7KB
MD5221721e3e6abedf88b1c1418e069bfeb
SHA18de6397429b91be44752c84829bb30bec6989deb
SHA2565b0833bc093d29e5a3ea38994970ce267c52f85018b49b1ce54e7ae19d301847
SHA51213a57d346c8c86421c01a8ea445ce4ba15f17b9f158bcef5363842c64ca5bbb8165354880c31f1b33d2c856b028702e77d3877b1ef4d54be6f2c8e87a0d757e7
-
Filesize
7KB
MD5a6bc4def283e4bb4cd9b334a1d5edb7f
SHA116c3c9cb0c423df223099efbe8ed7c2493507eb4
SHA256fbe3ae22eb8e45289402f1d934cef4a041590ed657801afe39de541081cc834c
SHA512a39b9f96dc1bbf5bd9f5e2990a51c3a536a1f411c7e7b402c32dad422ec190c098c014b4b6adfe64fb90c1cae124ee5ce4287926ad129c68512ccb7d9068e3b3
-
Filesize
5KB
MD5599239e82d8dc0d22c00fac65bb0c955
SHA1ccd1a20b9727ed5fafb54623f102448093291b96
SHA256a5dd4256e777a80a9df0aec2956b39e34146ca7accd659d21d5317f1609cd83d
SHA512e7f58eb555b7ae71c1658b8c7fdad3833e86b9c4ad2c4670461a47db8b517b59ca9cc842fdfc12556e0a3d76e3ad8a5404d7e2c8d2ac0a6bc8293972f1f40c25
-
Filesize
6KB
MD5daff3b7ed1f7a36dd076a9d24b67cf6f
SHA1554da6f20dccaaec0643f6294fbc80295f2e5539
SHA2560ec93c31e7a2960680a0ac33ffbb1ee87ba30954cfe4a99f0888360cd2c7d31e
SHA5122b90dec6c39e1835461508343120e5eb95ffbd41097a0697dcb5c598ceee24d1ab2adb09af9fce3cfc727b2593bf451aabcb4567b8f199148c36d833f46dd8de
-
Filesize
1KB
MD51d1d0cd8773ae865e7f994653676d1f5
SHA12d2f3ef9fc05a25282cef811de8c895b8c8e1527
SHA256a353f7b3a32c076cd487ffb4aac25f5b0b4ab2343019fd13069f212f8e4c5a41
SHA512c0013a612f76807ff810aa1a4b3911ca4245722387377003024833f88a0a08f55108b57a051286934d2eaf73836676a04952f4b2383c0b5a72c7aa42f6730763
-
Filesize
1KB
MD5b4147e17bda62c1414e23e30e8c324e2
SHA1214d25a7fc84ca445a5bfe064a74b2f9312010a6
SHA25645a4828fd88637b5e0389a94f44d7d76d66aa48f338d73b73459464be3d70334
SHA51231d896290f1081f66c2d628d5e99b8b1a8368b0ec1097e57b8a3639da858efe628cee3fdbd9bf6436e558fec9b0e6688559122de79018fc2a6d67ba4cfaccafa
-
Filesize
1KB
MD5a99a92a10f81f6ac346f5d97049539dc
SHA18dd62ff940772a29b92cba10f847badbe5e2ef44
SHA256543570312ab0103f94a17897eb8ff24145c7cf1a53a913a3254d093776d330c1
SHA512bcb9d4b2d7dcf6e5e1bae39e27874cbef92d594bb5130d05ecfb0e1a4a2880aa43bb5163afe5bb25890b98c8aafdc76625562faeb9d06a654018006ba2076768
-
Filesize
370B
MD5a2abd5fa66f6001e4e1faf555d239cab
SHA1ec9de91de94bc6556c4bcb8914de04c679930cd9
SHA25620f4d90c0e4fef89a0976ab7cfc6a7e34c45c49d7e73d6cb0f185814a8fabc3c
SHA5127211ba0a459de47fbb6f457f4a1c142deb3635a81260bd03f44119de7d300a501fbdcf17d2e2f98eba74d6667ab470990218e73301a914b19968e32af984f410
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a14dec42a013d7e790e36c452ac94c3f
SHA13c4b0fd9295de29843c51dd63a6a02c66bcfac7e
SHA2568be6aae0a54f07827b1b0fe3f63646df2b45a372726c13d7fa015d590b87a36f
SHA512135d17ea1b7d4a39c9b231cd5ba91aaa3b92e0b49e7b4ad6ea47569b5b84d3eabff1a6122379500cdf489d147e70bfc88eba4fddf07de7ba021d01bf150506a7
-
Filesize
10KB
MD5dbed632fc54adb3b10a5606536d87432
SHA13eea53ffae3de12d66b09a6b7aa3e7bf18a6d288
SHA25628d4d536812db37fa3131c0bd876bb995717d8a9a39cb7f8822b2d26895e3ed8
SHA512e7e966ea3da48a23f24d110b5d1f0046b3cdfe2596529c64b5386e98895b002dbcdc17f2e3fc0a5cae20e44fb2488ccad6196228faa67f4b3256a06c8475bf37
-
Filesize
2.5MB
MD5daa29183406deb91aaf9c466726d6ab6
SHA1ee81e05c839c7a7770585216367b80f53a93f1d5
SHA25652b86c9d4b8810a224b27c185fcf12d5fb32c4d87507fe4d98976d97f44d6569
SHA5124c8f1471df72680ea03e6432e758d57dbc1d5fc0d56c8f2965b2db2787ad83febf29c399894552c53f883321dac5bdce78fafafbd22cb25d305be4ae1f8f3ead
-
Filesize
109B
MD5df1d88cf3ca033d49b550355e0d0cc23
SHA13088678571aab63ba52a5a6b97f43a588b56f240
SHA2562b1867fc5400ff2efb25ea7913cfd970aca47e0f08931e5eff4b84628ee347cf
SHA51279a5576fc024d18345816919a03985347ffc092c310d87aca32947cf715d4e5a078e38bf8cabdb7c7fe134e302c86270c7662222268590ac0b0bd551096177f4
-
Filesize
782KB
MD5759ab3658c9bc6af1d9885d549173ebf
SHA1d8495e9cc8ef8f80a4a149aa633964fca3e08ae3
SHA25609267e88154b76a263fd7501e1325744a316ac686182c175de0f383a6616d6f2
SHA512b3e3bf950a95f68237ff96b1e679acbfe6715094e9fc0a48dba227cabe0e82f2fa7b9f2346330b594e4111ffb11dcdb5500b58cfde99c441e470ad24724a271b
-
Filesize
106B
MD533c9915b02194bb74e44c2cacc4bddc7
SHA1c38527c5e50b20a1155dd36fdbb6df6ccf364726
SHA2564b64ccae9b409a4d6ff725d3662141407846b43f21a1a2b1036cf4c46794b2eb
SHA512d108893b6f3862170c6a1a4b24f0e5d458eef43d8548abff13fa3cf078fc84d72d1471b32936f84583fbf1c8583210503b63a38cbf9e4be46a333f2a2fd56065
-
Filesize
4.6MB
MD5b9b9c2cffd93f6ae2aa8336f26d38923
SHA186ad72d0f69018ff0ba667d24e71d5b635cfc928
SHA256e5c3ce07ec40a8a5d946cf2353d607780afb0065276d9ce9f1e45aabb73d0fd5
SHA5126ae1a7da930542a6cff358e375486f0f6a55e4a9ef4ad875bf67e64fb9890001b4639482a28cddb642a37173e3f6c99b01a186295694b1dc44dd6587d9edc99e
-
Filesize
6.9MB
MD5e8a1fee5a2e22c4ffe9b6df374d41bf3
SHA1ae6c17a1f08d64dadfa0168804b4bf0e04ab1a90
SHA25626d4bad747d764fdcc340cf84b0230e857c800606f14e6911c4e4dcd0b5aed9e
SHA5122586780ff35b865a1dfa759de95ae42dfac62c8ec8a9746a1309179246f160a2b338c772cd0dc5e55d33353da09c733420bbb85110671b3a1ca26e0e531b3853
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
104KB
-
Filesize
624KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
2.8MB
-
Filesize
3.3MB
-
Filesize
800KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB