Overview

overview

10

Static

static

3

Fuckman1222.exe

windows7-x64

8

Fuckman1222.exe

windows10-ltsc 2021-x64

10

Fuckman1222.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/02/2025, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fuckman1222.exe

  • Size

    357KB

  • MD5

    61d52fac0e14469242d7a57c38fb69f9

  • SHA1

    ba287e919dbd980dc21390c9eca47904463b43b5

  • SHA256

    b9b4f637ac232a76c562a0c693f217d40c1c42652f8a78bef2cf4caceb9eb164

  • SHA512

    9f84bc269b0a4c0b31866a9982e90a4273a0d2bea4bf53a100c6083c1fe75515847e2d84b0f4f4b1d79eaa2185ad1a9893b67337d10069fb30e969231db2580d

  • SSDEEP

    6144:b7zZpiCk17utgPi6NViFY1mIHYH2bOVOWX74DscbbQHzm5ZO0zg8lMSKkbgSJTjr:PzZpiV17uqPi6a4mIG2yVlLKPb+zm5Z9

Score
10/10
amadeyfed3aadefense_evasiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Downloads MZ/PE file 2 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe
    "C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe
      "C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe"
      2⤵
        PID:2816
      • C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe
        "C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe"
        2⤵
          PID:1228
        • C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe
          "C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe"
          2⤵
          • Downloads MZ/PE file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:112
          • C:\Users\Admin\AppData\Local\Temp\L65TFNPB9O3YRJEA.exe
            "C:\Users\Admin\AppData\Local\Temp\L65TFNPB9O3YRJEA.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:4076
        • C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe
          "C:\Users\Admin\AppData\Local\Temp\Fuckman1222.exe"
          2⤵
          • Downloads MZ/PE file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\L65TFNPB9O3YRJEA.exe
            "C:\Users\Admin\AppData\Local\Temp\L65TFNPB9O3YRJEA.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3720
            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4468
              • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
                "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2080
                • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
                  "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:564
                • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
                  "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4480
                • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
                  "C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1220
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 856
                  6⤵
                  • Program crash
                  PID:3428
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1320
            3⤵
            • Program crash
            PID:488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 864
          2⤵
          • Program crash
          PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848
        1⤵
          PID:2368
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU4MkI1QjgtMTlEMC00RDZELTg2NEItQTEyQkMyREQ1OEVBfSIgdXNlcmlkPSJ7RUU4RTBBRDgtRDNBMi00NEQwLUE2M0YtNjdDRTM1NUFFMjA5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTBDODgyNzMtMDc0Qy00NTM0LUFENjQtMjZBRkY3MDdBRUNEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTM0NSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3OTQzMzU2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNTY0OTQxMzYiLz48L2FwcD48L3JlcXVlc3Q-
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3324
        • C:\Windows\SysWOW64\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2680" "1280" "1156" "1284" "0" "0" "0" "0" "0" "0" "0" "0"
          1⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:1560
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU4MkI1QjgtMTlEMC00RDZELTg2NEItQTEyQkMyREQ1OEVBfSIgdXNlcmlkPSJ7RUU4RTBBRDgtRDNBMi00NEQwLUE2M0YtNjdDRTM1NUFFMjA5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5MTAwN0I0MC1GRDEwLTQ1NEYtQjdEMS02Nzc2MTc5NzFDNzh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDg2MCI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNjE2NTA0OTQiLz48L2FwcD48L3JlcXVlc3Q-
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3584
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU4MkI1QjgtMTlEMC00RDZELTg2NEItQTEyQkMyREQ1OEVBfSIgdXNlcmlkPSJ7RUU4RTBBRDgtRDNBMi00NEQwLUE2M0YtNjdDRTM1NUFFMjA5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGNDhBRTY2Ri00RTQzLTQyMjktOEExRC0yMDI0OEQ3MjU0RkF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC45NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MUVFRkRENy0zNTlBLTREOEQtQkNGNC04RkRCMDAzREZCREF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuOTEiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzA4NDY5MTI0MjUwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezk2RkY3RjA4LTIwQTQtNDM3NS04MzNDLUIyMDBFQURERUNGNn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjUzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkI1Qjg0NDktMDIxQS00QTc3LTlDNEUtNzMzNDNDM0Q3QjI1fSIvPjwvYXBwPjwvcmVxdWVzdD4
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:2080
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3768,i,3145916790383377020,3832351671446480152,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:14
          1⤵
            PID:3444
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
            1⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1184 -ip 1184
            1⤵
              PID:1120
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2080 -ip 2080
              1⤵
                PID:4516
              • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                1⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:2820
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5400,i,3145916790383377020,3832351671446480152,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:14
                1⤵
                  PID:2492
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4072,i,3145916790383377020,3832351671446480152,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:14
                  1⤵
                    PID:1608
                  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2936

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                    Filesize

                    378KB

                    MD5

                    4d68caf5a0eaba150f4f468262603917

                    SHA1

                    a1d9d253f0490ec9320899f960637d4c07ff22f9

                    SHA256

                    59a4f613e46b013b25af6467245863176d037b04ae0895e767d7e062c9caa8ec

                    SHA512

                    b8d9d7cb35443b43f64727ef90648d02e4bcce1333d011b75513cc32c97942edb34130a0c0b0840cae8cfbbea3ba458dec616b3debef2a131a0090d4d54b1807

                    Download Submit

                  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                    Filesize

                    404KB

                    MD5

                    1cce61d5e28b47b4f77ac4edcf65428e

                    SHA1

                    cd6db1527de1160e60ea3b89c5ddcd94f97ded35

                    SHA256

                    3c4c046d90fe098085141834e6d23da2c85bb00878b9a12a1eebdaabc6aae8b2

                    SHA512

                    fc9954104d72ce5d36b2ab31273abb406ff217614586ca9019e0df361487ef482e4d8a7df10878f47c345dc7bd5f31f7b905bc25664534898b39cfe9dc310a65

                    Download Submit

                  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                    Filesize

                    417KB

                    MD5

                    bc4f4cab35312e96c99c3c474e6190aa

                    SHA1

                    9d130bfb8efb400cf5ccfc1a53f0d39540cc8f11

                    SHA256

                    0dd671bfdddecc766a5793c096d02f11d51d371b05b7adfb0bba59e179aa2b6e

                    SHA512

                    f067da47f54262af1919817d05c22b157ceb1b1792ec1030b577dcf95e70a52c3ed30006afb63ff62e1dbb5f3b59b046862d2cb7ee4ede3d94b194062ee939d1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
                    Filesize

                    501KB

                    MD5

                    c80b4443546055bfdc0f3edc5b88abe8

                    SHA1

                    4df4951f787aca9b1fbeafa4590614fa9db9db4a

                    SHA256

                    6d15b1a8ef83b775e3a71618c88a2e1b4dbffb8b81afe61552e8af2d77214d64

                    SHA512

                    1388114d4cf91a7ae5bc1c37a1caae5e3c17cfd02a2730fa3398582ad8896d8f7a94bf7f730d855cebe9dff1af31abafc3d82e831514a16d5f17333879d5c324

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\L65TFNPB9O3YRJEA.exe
                    Filesize

                    1.8MB

                    MD5

                    c85b31285d25a60c52ca68a12666bab2

                    SHA1

                    52ca79e85e2d171a4fab23e9fa934bee82f0c81e

                    SHA256

                    17877408071345861ebaa176742af045ea1f6f274d7dc458c653adec2263e237

                    SHA512

                    4391a4993575cd806411dc185b403e3b1afb3a0af0d893135660517b7f59f85933e8b5ca4f16e0799872f98780d07d04d062528886a3c422e7a5fced1df9110f

                    Download Submit

                  • memory/112-4-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/112-12-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/112-25-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/112-7-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/1184-11-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/1184-64-0x00000000040D0000-0x0000000004595000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1184-24-0x0000000000400000-0x0000000000455000-memory.dmp

                    Filesize

                    340KB

                    Download

                  • memory/2080-83-0x0000000000CD0000-0x0000000000D50000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2820-94-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2820-93-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2936-108-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2936-109-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/3720-42-0x0000000000160000-0x0000000000625000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/3720-30-0x0000000000160000-0x0000000000625000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4076-99-0x0000000000AE0000-0x0000000000FA5000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4076-100-0x0000000000AE0000-0x0000000000FA5000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-102-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-101-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-47-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-107-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-105-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-43-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-104-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-95-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-60-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-103-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-67-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4468-61-0x0000000000770000-0x0000000000C35000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4480-89-0x0000000000400000-0x000000000045B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/4480-86-0x0000000000400000-0x000000000045B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/4848-0-0x00000000739BE000-0x00000000739BF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4848-10-0x00000000739B0000-0x0000000074161000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/4848-2-0x0000000005EC0000-0x0000000006466000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4848-1-0x0000000000E80000-0x0000000000EE0000-memory.dmp

                    Filesize

                    384KB

                    Download