Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-02-2025 05:21
General
-
Target
a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
-
Size
1.8MB
-
MD5
a10444829e13be882db6464255dc0082
-
SHA1
73e6651e812cf3e44df7124af78f2208ea288e91
-
SHA256
a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd
-
SHA512
de8cc0f27ca4c9ef411554ca5c6283ea150bca382b6f2a31016f419347d2fee5cc98695e81512a099a3a1db6ad3e548e42af7ab3755d0b00dee75b8cefca25cd
-
SSDEEP
49152://zvq83jOBXUjCT/1D4z0f0TwgrJNXI8rlHTOHy:/7q83KBkjs1D4zc0nrrY8pT
Malware Config
Extracted
stealc
reno
http://185.215.113.115
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://rampnatleadk.click/api
https://cozyhomevpibes.cyou/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file 10 IoCs
-
Uses browser remote debugging 2 TTPs 7 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 46 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 13 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe"C:\Users\Admin\AppData\Local\Temp\a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X6M0VLCR63TKL2S91B72.exe"C:\Users\Admin\AppData\Local\Temp\X6M0VLCR63TKL2S91B72.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\JVNKDNXUVCS503HBHMLJ7YL1Y9.exe"C:\Users\Admin\AppData\Local\Temp\JVNKDNXUVCS503HBHMLJ7YL1Y9.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1069302001\111489a18e.exe"C:\Users\Admin\AppData\Local\Temp\1069302001\111489a18e.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6469758,0x7fef6469768,0x7fef64697786⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1216 --field-trial-handle=1204,i,12293936253985492790,14140010869849551270,131072 /prefetch:26⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 9645⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069303001\ee2001b72b.exe"C:\Users\Admin\AppData\Local\Temp\1069303001\ee2001b72b.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 12365⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069304001\4d362618d8.exe"C:\Users\Admin\AppData\Local\Temp\1069304001\4d362618d8.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1069305001\6ecfa863f3.exe"C:\Users\Admin\AppData\Local\Temp\1069305001\6ecfa863f3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1069305001\6ecfa863f3.exe"C:\Users\Admin\AppData\Local\Temp\1069305001\6ecfa863f3.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 5165⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069306001\d3d20ab1b4.exe"C:\Users\Admin\AppData\Local\Temp\1069306001\d3d20ab1b4.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1069307001\6de1b79106.exe"C:\Users\Admin\AppData\Local\Temp\1069307001\6de1b79106.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069308001\9412a64fd0.exe"C:\Users\Admin\AppData\Local\Temp\1069308001\9412a64fd0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7646616⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Fm6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Tunnel" Addresses6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.comMacromedia.com F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 156⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069309001\44f28e24ee.exe"C:\Users\Admin\AppData\Local\Temp\1069309001\44f28e24ee.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1069309001\44f28e24ee.exe"C:\Users\Admin\AppData\Local\Temp\1069309001\44f28e24ee.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 5205⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069310001\bf9c8a640f.exe"C:\Users\Admin\AppData\Local\Temp\1069310001\bf9c8a640f.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1902446⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Highest.potm6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Region" Automobiles6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 190244\Rna.com + Trials + Tour + Auditor + Indices + Interests + Bk + Not + Assessment 190244\Rna.com6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Contributing.potm + ..\Cm.potm + ..\Contents.potm + ..\Templates.potm v6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\190244\Rna.comRna.com v6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67a9758,0x7fef67a9768,0x7fef67a97788⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe8⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2216 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=1380,i,1235392096039285420,11463736554559267356,131072 /prefetch:88⤵
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1069311001\c6bc80cbdd.exe"C:\Users\Admin\AppData\Local\Temp\1069311001\c6bc80cbdd.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D0C59E3A-50FF-4D8F-B011-E318BA7DD687} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
Filesize
1KB
MD5c7f5a87d73060639d4bf835b895d8b16
SHA1e526e76f9a577d133f8b5b052ccbd58a298998f4
SHA25648e97bb1abb3d7ec73eefeea96bc0bf365c79dafc595e1dfec73a550108c1356
SHA512db7f9584b0301efe4d68d327e51349bdf559c6fc8f8d537bd138b009a2b5dd56d314186bcb210862fdc66f2e4780e5c1a43083530feaf8b11dd1aca91a89ad7a
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
170B
MD5730bb055cf3c798e14b89439911f198d
SHA1094c38ef6a92d4410b7450bd281e91ee76220a8f
SHA2563cb17b8c94900a7ddfa602bf3e09fabdb13422ecba56ad7ba5f57fdcb382d964
SHA51296ed4b7e85b92399a2daf82b1c0dab1910b9ef996acf6fc9977243f9c490347088c727485a214cc2469a53c95a3799bfeb60a1010d3f80f27150093eda4c3575
-
Filesize
410B
MD5fd2c144563ddc3bef7d84872d98a8d3b
SHA1bae83763d29caa0bda78d641e55f1055da5694e8
SHA256407b5ff87a82061d1433ac6fcd5f00ae3f51e3eb09fb7128a8d55349d91bd9e9
SHA512ee4a35b2e30ba4e4bfefeb88af68c8c56fc5efc6f23382286bac39608309518aa229614c3f0606b3a01d0a0e15e2adcf74142379027d77b21a03cc0a305e47ef
-
Filesize
342B
MD5a0c2753c07ca8e6bfe201de39990d0cb
SHA1207a3660ef5abc886488950dbc87943b6f929a1a
SHA256565d7bb0e88cbeae34b28a081129be8388b02798ab1d6fd1b3d905671fd11500
SHA512be9bb340cd9898ba8d42e15851f21024b886f3cff279c6702e9c4ae3a184a71ce7473bbf34a6eb3830b145972c65a339a637b2ef2a4df47639ae4350e6c0ba98
-
Filesize
242B
MD5697f5017700fe3b4509480009d87361d
SHA1e8ff9b4f1dbd3fe829185c5bd8081c0b8847997a
SHA256c641c7df0e4c54d47af595eb2d9079a5500679608a1f13b394dc43fd09d2fab7
SHA512fc201c163e56e84b86303e413590e295ad9403420a69f8ba027ce965625bbffd9c140e5e9624473772fc9078dfab1bbbfd8e27ae19635ab2314186f4cfe735c6
-
Filesize
40B
MD5ba9989410d716a22402772f7579c497b
SHA1e382fd8a875080e0bc8d207a7714f1bb80e49166
SHA25644b5004d498de3043d1f4775bdbeecf54135c83125021a3e68fcded07299936b
SHA512bc9b14c99089e450cae307b7439b4624265925eeee20a89bf6dc13a9e6f4a54ab242d095d0549cbffa3cd88ea622eb1ea9d6ad9154a3b75a09448aabae4c1c5b
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
170KB
MD5b7d9c568e891c6104ce6953479264a92
SHA13450575bffcd5215ce75d26f293c41abaf262ef7
SHA256012206982b6640e6b8162a5ff381cfc90b032b1a4d386ee5285eab800220827b
SHA512b5bd98edef92cdd04ad0d578bda764a0a7e66c575cd4b9a31df4988674c6bbb6b65b3ebe6585f31f7df0ae3b08071a0aaef76bfaa7f23d0ada398f8632a13f2d
-
Filesize
220B
MD5276bbb20c29087e88db63899fd8f9129
SHA1b52854d1f79de5ebeebf0160447a09c7a8c2cde4
SHA2565b61b0c2032b4aa9519d65cc98c6416c12415e02c7fbbaa1be5121dc75162edb
SHA512aeb2fe0c7ac516a41d931344767e8d7b7da418c35970a27eaa8ccfb89d28b36a44bb6db6fe28c192e0ed994d6a61463f132b86ddd246230acc7af28f083ed2bf
-
Filesize
6.3MB
MD56b0e6f3243ca5cbc84d2f86c4caf29c1
SHA11efed0bb031e2f250a504fc381d4ede73cd66465
SHA256ee8672e0766936b3c403191b6b473de71b2ae079f3cf46406058ca1709c794f8
SHA51268eb1b0fcbb57305ad76450605bf296fbbc21c6e91561a593b281727b1f795fbd5212581371af34454692ae30b7f5c877f3170b9ebf846e177b4c2f9a65e1f27
-
Filesize
1.8MB
MD570ee9d65ca5c0fc30e3b5d8ac561b988
SHA121fb7e8c00718ab02952592407ab24aa48bbcc13
SHA2560c70af5870f1b6c799d314164372ca8a0230f978403cbe20a4cd479cb2b25f95
SHA5128b70b9ee6d68811ea91a242a009082cdaf74b94aaf04e7d4ee6682600dea3dfd53ccc8402c1776b66d2eab9018d37516d4e4a68f669f3ed0d8ecfbd7b68c21d3
-
Filesize
1.8MB
MD5cc3318068f435ad2bba23d7d3cb5fb08
SHA1acdff01b288078fa0601a25c8492ce32db938240
SHA2564800155cd357982235c4aace17fd4b5eff6a3e5899b1c2574881063bdf8b09fd
SHA51221d4b5c91cfd36da8bc6e81b8804e59aa4621637be000d72842210ee565375173d8d349446d8a2e069b49b6e36dc5e665a7b3e7f6cfc167d220845be7bc1a269
-
Filesize
728KB
MD5799f5dd03ab5c4aadeb499a86dde1960
SHA13df50f0c7fecfb7579003116c2e23e0f99aa2356
SHA2561b8d6a90488693f9cf8935bc7e3357dba9673d2a03e3019d22299a9b1c0f5ad1
SHA51216d1d3f8ccf3562bf8dcb202d9a930406254375372e7bf0dda789c7be40ca158738da85ff19413364ae6d1e958cd3dc36cba75cf1050956cb06799a85ef07665
-
Filesize
2.0MB
MD5919161ec521932fd32ea0938502308a5
SHA139d4610fec270a857a7b08659f8ae7410b6bd7e1
SHA256e8bb9baba9658cde076f3f2394285a5d25c43c3e1d6ef6eb81fab42ed799fc91
SHA512c8c1d2acdc0447774f0aa0d8123bf7e4e9fb045f0b632d51d6fa9f826b019c8c38d4e999b791fa218bbe243b9d34e846353d8dfc09036a385a05b5ec746341f6
-
Filesize
9.8MB
MD5db3632ef37d9e27dfa2fd76f320540ca
SHA1f894b26a6910e1eb53b1891c651754a2b28ddd86
SHA2560513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
SHA5124490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd
-
Filesize
846KB
MD5c3d89e95bfb66f5127ac1f2f3e1bd665
SHA1bd79a4a17cc8ad63abdde20d9de02d55d54903f9
SHA2565d07ad572a6a37d07d0b7ca990087960ad8850d7cfc56b8c7270c826c70fb56b
SHA512d85116e24cf07f3063837fab1859ae6d9313dd269e28844900cbebe7521df8c65db97bc122bb097e9887d686bdf8f786b93a06208d762fded9035d2c6448a111
-
Filesize
795KB
MD5e9ee9e540253f60d0f0f6efd140e524f
SHA1e27ae23f783d062cb13e9c9e840f3790c6e43f61
SHA2563ea9ea6d01e80568586120facc27bb2c31923d3bdcb9427cce6c458c6c6e3935
SHA5127f637aad288c0e525f2761cf2590efe0e5cce69abb7af19809fb5798a93c67fa7ffc4bc8acc4070db3d21300cc109fef409b75f0f0fd52176dcefe115cb51c58
-
Filesize
899KB
MD51e854cc21a0a1e0d4529eafa30f00c46
SHA17d46238f771042bee22b70555e69fbbecc556737
SHA256435eaccabde5605bb4d9a13ae054c63dd4e5ad61025e0515702e8121cf0a9598
SHA512278a7cee7819d5cc685dd9c075639968798341bac23718b15441d3b9b0d723eb7836e0329c5c5f096f54dcce826e8ea871d033385b72464637391a14b61f33fb
-
Filesize
1.8MB
MD58b4e2d424475eb43aa512f6820faf1c9
SHA10cc700316ec6cf7f3fcd683d44677e193527e785
SHA256d34535b5f026d3b55620c9633aeea7d923723664d7db9a40ae9396e32873e05a
SHA512afa3f37d0f35b62d8c5318ca08d775c3a6b8739fdd0482a50eaae1e7cb7e7165f30216b80ae13bd62b792ab2b38ae9436093cc22c06162bf60bd0a1c38d5f8c1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
10KB
MD56d2e9bdc77ef7d4073fe0a23d24b7346
SHA133045b56a62059a14756b961a8e4220a09fb035c
SHA2566e44faaef0ad7290e3ecbeec66dde3b959460d650f252b62e6a294758d512313
SHA5128c8d7edcda2c371c06a6bc882e056163e072a40b15df581bd7c7558d5bebf0e67dba3695855c9ad213cf17838f7cee3a340fb7222e0ddfec84b8fb21f999cbf4
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
17KB
MD58302276f879565bfcf18de8278fa2df2
SHA15ade1c7516c3299b9a3572766a6512ef079f1aa1
SHA256dd59aeaa649c3116f43228bf8da6614ae31d57e2da00777ab3b3e8dacd14258a
SHA512515352faf704f9026bf22df113089d13ff0c9de6059efc28fef9d1371ca49618a55fa19c414a8493cf354e525b288bc342732d88aa3fe3143e3fea58107dbade
-
Filesize
1.8MB
MD5fa872640e46a3e408c68fa9f9cecd015
SHA1b6d2e38792c40fc382d5908f633873078cac6c7a
SHA256a5276b574366ac82c4c8dc695e22d325343766f98b34a8d4bd67cdf94cabd797
SHA512d25ed34e8d6c0e7c49f31c4065466436d3cd997f88cc86080bcbe9667456e2c03dfd4f88be419467c038b6802061e3eccc4f15b292cc4b7905af8ac61ffe375e
-
Filesize
1.7MB
MD5e9b928780742fa22ababf73d7904af16
SHA1654d936dbea2ec1dcae7b787e9c2226425a42a76
SHA256655c7915a26a0a33320d7059b06ae220105dfc48c71b85ad0c66497115955ced
SHA51287443ea4c43dcea2b2df5c795559926f7f19627652f89c7eac7a603c8175c2945af13fefa256c3479444b2f9cc32cff3f3c5793c4a48661e2f2a6cb16635c647
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
11.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
11.3MB
-
Filesize
4.7MB
-
Filesize
11.3MB
-
Filesize
4.7MB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
10.4MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
760KB
-
Filesize
824KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
92KB
-
Filesize
6.6MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
6.6MB
-
Filesize
4.5MB
-
Filesize
6.6MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
164KB
-
Filesize
8KB