Analysis
-
max time kernel
182s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
21/02/2025, 12:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.mediafire.com/file/vg7a2g534gxlyka/Kraken_Cheat.zip/file
Resource
win10v2004-20250217-en
General
-
Target
http://www.mediafire.com/file/vg7a2g534gxlyka/Kraken_Cheat.zip/file
Malware Config
Extracted
meduza
444
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
444
-
extensions
none
-
grabber_maximum_size
1048576
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 34 IoCs
resource yara_rule behavioral1/memory/4328-649-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-651-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-661-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-660-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-656-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-655-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-654-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-657-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-696-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-701-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-700-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-697-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-709-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-708-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/3748-713-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-723-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-716-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-746-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-747-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-755-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-752-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-740-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-737-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-735-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-734-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-753-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-741-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-731-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-729-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-728-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-725-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-722-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-719-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4328-717-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza -
Meduza family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 168 1924 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation Kraken.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 7 IoCs
pid Process 4064 7z2409-x64.exe 4088 7z2409-x64.exe 1956 7zFM.exe 1376 Kraken.exe 4328 Kraken.exe 1636 Kraken.exe 3748 Kraken.exe -
Loads dropped DLL 1 IoCs
pid Process 1956 7zFM.exe -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 186 api.ipify.org 185 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1376 set thread context of 4328 1376 Kraken.exe 130 PID 1636 set thread context of 3748 1636 Kraken.exe 133 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll.tmp 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2409-x64.exe File created C:\Program Files\7-Zip\7-zip.dll 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2409-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2409-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2409-x64.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 428 cmd.exe 3712 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2409-x64.exe Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2409-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2409-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2409-x64.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 48203.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3712 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 msedge.exe 1924 msedge.exe 5052 msedge.exe 5052 msedge.exe 1516 identity_helper.exe 1516 identity_helper.exe 4704 msedge.exe 4704 msedge.exe 4424 msedge.exe 4424 msedge.exe 836 msedge.exe 836 msedge.exe 836 msedge.exe 836 msedge.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4328 Kraken.exe 4328 Kraken.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1956 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 1956 7zFM.exe Token: 35 1956 7zFM.exe Token: SeSecurityPrivilege 1956 7zFM.exe Token: SeDebugPrivilege 4328 Kraken.exe Token: SeImpersonatePrivilege 4328 Kraken.exe Token: SeDebugPrivilege 4452 taskmgr.exe Token: SeSystemProfilePrivilege 4452 taskmgr.exe Token: SeCreateGlobalPrivilege 4452 taskmgr.exe Token: SeDebugPrivilege 3748 Kraken.exe Token: SeImpersonatePrivilege 3748 Kraken.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4064 7z2409-x64.exe 4088 7z2409-x64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 1852 5052 msedge.exe 84 PID 5052 wrote to memory of 1852 5052 msedge.exe 84 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1764 5052 msedge.exe 86 PID 5052 wrote to memory of 1924 5052 msedge.exe 87 PID 5052 wrote to memory of 1924 5052 msedge.exe 87 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 PID 5052 wrote to memory of 3248 5052 msedge.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Kraken.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.mediafire.com/file/vg7a2g534gxlyka/Kraken_Cheat.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeac1a46f8,0x7ffeac1a4708,0x7ffeac1a47182⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:82⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
C:\Users\Admin\Downloads\7z2409-x64.exe"C:\Users\Admin\Downloads\7z2409-x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
C:\Users\Admin\Downloads\7z2409-x64.exe"C:\Users\Admin\Downloads\7z2409-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12620441881882763444,7070674445941806784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3588 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1864
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3240
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Kraken Cheat.rar"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1376 -
C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:428 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3712
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4452
-
C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"C:\Users\Admin\Desktop\Kraken Cheat\Kraken.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5c4aabd70dc28c9516809b775a30fdd3f
SHA143804fa264bf00ece1ee23468c309bc1be7c66de
SHA256882063948d675ee41b5ae68db3e84879350ec81cf88d15b9babf2fa08e332863
SHA5125a88ec6714c4f78b061aed2f2f9c23e7b69596c1185fcb4b21b4c20c84b262667225cc3f380d6e31a47f54a16dc06e4d6ad82cfca7f499450287164c187cec51
-
Filesize
967KB
MD54eaae49d718451ec5442d4c8ef42b88b
SHA1bbac4f5d69a0a778db567e6978d4dabf2d763167
SHA256dc4fdcd96efe7b41e123c4cba19059162b08449627d908570b534e7d6ec7bf58
SHA51241595b67c8506c054c28ce2b5dec9d304651449464c6e1eb092a049d49326594584900cff4e9b8210ca3ad8a23e9c22d8df1ae8af15f44a69f784cc546fcced3
-
Filesize
152B
MD56cdd2d2aae57f38e1f6033a490d08b79
SHA1a54cb1af38c825e74602b18fb1280371c8865871
SHA25656e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff
SHA5126cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a
-
Filesize
152B
MD5f2b08db3d95297f259f5aabbc4c36579
SHA1f5160d14e7046d541aee0c51c310b671e199f634
SHA256a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869
SHA5123256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD55cc39282480d839c0bf917a3edc2b004
SHA1711405690788bd3188c6a811372e77c9b646b714
SHA256b3f863858a94d620025a1e851c5950d2584ea6f2beab41bf2896b2f8a1e4ebb0
SHA5125fd1559bd067f1730fa49af4b7145ded757cfe5b2078fc120166f77b4cbad08075f12039e25400f97f46a538bd68e119bc12d05081a434bf1540080d4c3de117
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5821ccaaf5248f9d9d28ec32141bb09c1
SHA16282eba306644653cd7befb1c24a2c2e635567af
SHA25654c979fc7f617e32153884391b47c2bdd787d77bd131d2f1b2bad980037a4ea0
SHA51259353149beac88d8351d58334cee11a52c595214a199262119f590806ed2618a0160d580734b576d027a22a5614211112e395c0a19888bc8515e98b56a40ff85
-
Filesize
3KB
MD5d914934773ead40e820e00df9f23609c
SHA1f008053b153b3f26078bbf70bf6e157aa05126ae
SHA2564231387d0d91197ca3224d96d0484686cde29313b6c47014ddfda0286a38757e
SHA512ed46f8b5bdde250d98e303195035149150992e2bbab1ddbef1d7cc4f6f5a48679696a6c6ab25e75b8fd285d5342aeb5b84c563ecbe7cdd28020c05281730114c
-
Filesize
6KB
MD545f8dd4370dc0ef1844f7a6bfc04a3d1
SHA13570efc23753bec4dda43a7826b63457c4f0c679
SHA256903c4f1ab2969f2afa6fa4782120e00a4e9c26b39cb796f22503066868a36fcc
SHA512046bd396b40aeee9f963954224355ac80c12c15c0067d5fb5c11e03d05ec40cfe32c0a87ef027a5993e62bc0902218b830067edfb34ddac455b65732461fae22
-
Filesize
9KB
MD53d77b2535daf3e76f2479a01260b3fae
SHA19021afb18db22d3223895b613a8ebd4d75d8c564
SHA25663ba5073db992e224f8cc34fa62026a53aed28c727d4474b2c0af48dd4892bfc
SHA512f101789e67812eca67314f9122b9bf51f16172d416f0c0b22017fafe90a5c9c493501ed67ba67e49fdbf3254e4aab0b2e1f3a2e01f464a84328dc06052d4d1e6
-
Filesize
8KB
MD5bbccacfd32c182969f3b188077843893
SHA1db2676f841d998b56a6aae1d41cb6e836423114d
SHA256574a55ebb8262401e8795be18f58bb2982a808e4d49d3db57ea5c042eaa53874
SHA51250a3c96f46ffc45a90bb5a72451ca2487efb5755799f26e614164faff04b959ae81e5ba6bad91ffee1d190465f57a13416baea3344d941587aeca3913f319994
-
Filesize
8KB
MD5a7b252027ceba4e7f22566219eed294f
SHA10b2a178349343eb6960ed46f2b05cadc2f60bed4
SHA256b7efd44189a141a5f2278a139cbc4f7e0ad9ad95c8e13d6ada32a8c8e33230e2
SHA5121702640f15b03f778d069688daeb09f148658a3586aeaa1115bae94fbef156255229030d57c7f63f2c9b744be8750441f816078f9ed8709570d05418e82c1831
-
Filesize
8KB
MD50648ed40cb45d55a71f6e8f8806ea9dd
SHA16b18b5fca1fd89815175467d27e4a1f0fdfbf2f3
SHA256b6fc0444f9f9eca01ae1737fc6603a574e8b228ed6fa4478ad3dd239d292e49e
SHA512d6c1be5ded741be9981073e21ce5df58677e77d4f973951438183b581e0716957ea1da9f5e7f2f12092e273800d7c912cc5436af016516df9e2c226225b964be
-
Filesize
9KB
MD5a27c1bdbc34f9e5ff8d77cd3578dbf6e
SHA1545c5a6f12976ee75c4fe2829e3ccdfd16f2ac8f
SHA25663e052b96895072de1cdfbf445f36010e8baee3f43513556b2b2f68131fe81c0
SHA5120a9f931f61e1872dfad84b895205c8564836b768532f84eb388be4ea6377d1283a7c87d1cdf4fbea77b8611327b07c6804d605fac5567685d683d9fe41ff670c
-
Filesize
1KB
MD58a43c717aeeb7610700349545caf8f73
SHA1ed7be9d164db597170538a6b8a0fb5e83c976e25
SHA2562809b349075d7ce870d81f6382da0585b9c7dd3681a9795bcad430876317eff8
SHA512a1c3878f1e95ecfcecf590fba556ed51aca2c245b6cb53bd6a90f038edac7c98d234a9a29a1e96314aec463555edbe4a632ae2be710985aedf159ba83422020f
-
Filesize
1KB
MD5b3eaa6f4fbb8a4a76e784e113d040ee2
SHA1de8929805d972dac01597a731704e4da80876461
SHA256919f0c9ce051d9814e4640adf45a039cb05ac9ebe50c6fe5f9a1d398edd509b2
SHA5125fc1b4e4a358b0ed14d1e22b20c2960530204abcbbaa8aeab112e1739af5da3fae4301541f50c2389cdca22030fe8e9b6f94d6911857e119f0a1c9ca85cd0908
-
Filesize
534B
MD5e889dab2ccad1eab0f230eaa4f78e418
SHA10bb269ee12a5b4638ad98ceab08ba2bf5a25f4bb
SHA2560e3f3069d54d27d3cd7d52b63f67c9b5e5380382afcf0af8b990a6082777b05b
SHA5127eaa7628b97382577bb6076a7567fd862885a535235b010872805a129fa90bcbe6229f08c960bb782a661df2f87280176e5c9cabc970191c688db9a15739be7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab8e7762-08f8-4161-8d42-cdf7e9e598f4.tmp
Filesize3KB
MD53ef8a98c34b5e866a45d04d65a280fd2
SHA1a7d33a7f7cbe1c184477a746042d02f7f7224e72
SHA256b5e26ca108ac60e38f0983c2076e4a6bee6a0332572129776f782fa35c9d55d4
SHA512ef44c112817d389becc6766ed6c811bfd3834a2c1be45ef117d4b1e58b47b430ca51b51562debca1f3e16c8f82f0f5edb69fa6c71599db2414f304beec88ba4e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d76e71a3956cb8ba674fc70de54f529b
SHA1412c5c3c68b5318e9ea33ebd3d7c47ab26b6ea6d
SHA25680e8395b80344151471aed9b6ee253dcd4a7716f4de41c42f552793ade93139c
SHA512f8b5cfea50983f8bed9ee2480c8b7bda9ce8c9c59de59e4be4cbff8d898313d5aaf2380c194dc97ffbb72b39a2bcbec3028f06969c315490fd5b97bcc875cabc
-
Filesize
11KB
MD5c0d293791c8da7c9577e331b1a579767
SHA19565abb214513d38b3836fdd76586e6ab1877638
SHA256a910bf25e2a2e1c0ef6ceb7f859c5982809b8e67c0db4017995c7f5386b5d7ba
SHA5126d041e42a1d87d338a892fe59c15935eaf44dfd1fc9df31672dfcb77db1397d9b934fb2ba966afaf9e192a869e5ab84372fa70cce78ee36ac57fe1331090bed4
-
Filesize
11KB
MD5f89539590262b996e087e77ad4351148
SHA19e9d2d4beccd913fb7032f253781fa036a1a402f
SHA256f759d15209daf7621ab9e1f9683c10ab0b740b7b7f94f27906f4a9eccc930493
SHA51239ea9e845abbd66256c3dc5b4ad9e85d294011e971f0f19101211a90bfc2856987d978233a40589636e7c514be41615ff81b8bb5bcb45ac288057f4e00ba027f
-
Filesize
3.7MB
MD52efb1d6f632c13e3be57d710f190f8d0
SHA119437cafa11c6ae5fa27e35de3369cf0817a7dbb
SHA256ca54bdbbd6238be2040eb965561f078e573569d8d2fa0756d02e2795276c62bf
SHA512ae3a3fa1c142c5d57f641da0941364189ffe01daac6a4739d5d84508f0461451ef4c818cc1164d9cfab3ddbc6f613f94e26046fd7d613e42a7ec858dec29b38b
-
Filesize
10.7MB
MD5f3ae551e52491ddf865c1f0226cb5dba
SHA1cc0959d1a88fad61b83c8a740319d844f8b84424
SHA256f7c305a1aac53a14d3bd92ce035c03b7e6be7308f23705ba00348c2db749c0b1
SHA512e4c49390fd3a23135050d5dfd35f842d141e59396707ca5b39cdefbe9067f321182412110b865d137cce469d94865f7a4f9942ea47c2a96ba97bc434d9a4e9f7
-
Filesize
1.6MB
MD56c73cc4c494be8f4e680de1a20262c8a
SHA128b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0
SHA256bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e
SHA5122e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85