amadey | 5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe
Size

5.4MB
MD5

4878d3d0efb5184422522fcfe86e4904
SHA1

bebfd94efdec14e0de5f5a44dc54ce62675ba03f
SHA256

5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913
SHA512

cc0f46104196450a273ec2032972aa60cd7b7edf786c3fc162dbc44c74f802d79924586a1d087e53b749a3cb79cbf0aca549f7a0d63f50764b39672c2933ffb7
SSDEEP

98304:apVxrwWH6EHMKd88VZxcAQTdecqJ8WlDFdXClshyOwUJLkhom704vBj:a/xrZH6zKd88VLXQ5e5HQURtR45j

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c9ac3a2fdc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2r8010.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1464f2e3dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e7144db7eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1i61F8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e87bd4b6e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3r02C.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
83	1392	BitLockerToGo.exe
86	3132	BitLockerToGo.exe
38	2252	skotes.exe
38	2252	skotes.exe
40	2252	skotes.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c9ac3a2fdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1i61F8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2r8010.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e7144db7eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3r02C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3r02C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1464f2e3dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e87bd4b6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1i61F8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2r8010.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e7144db7eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c9ac3a2fdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1464f2e3dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e87bd4b6e.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	1i61F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 12 IoCs

pid	Process
4088	G0C76.exe
4696	1i61F8.exe
2252	skotes.exe
2592	2r8010.exe
5208	69635d8063.exe
5840	1464f2e3dd.exe
3096	5e87bd4b6e.exe
1620	e7144db7eb.exe
2872	3r02C.exe
5472	c9ac3a2fdc.exe
828	skotes.exe
5768	skotes.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	5e87bd4b6e.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	e7144db7eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	1i61F8.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	2r8010.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	3r02C.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	c9ac3a2fdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine	1464f2e3dd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	G0C76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1464f2e3dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091966001\\1464f2e3dd.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e87bd4b6e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091967001\\5e87bd4b6e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7144db7eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091968001\\e7144db7eb.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c9ac3a2fdc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091969001\\c9ac3a2fdc.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4696	1i61F8.exe
2252	skotes.exe
2592	2r8010.exe
5840	1464f2e3dd.exe
3096	5e87bd4b6e.exe
1620	e7144db7eb.exe
2872	3r02C.exe
5472	c9ac3a2fdc.exe
828	skotes.exe
5768	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1392	1620	e7144db7eb.exe	111
PID 5472 set thread context of 3132	5472	c9ac3a2fdc.exe	115

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1i61F8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G0C76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2r8010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69635d8063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e87bd4b6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9ac3a2fdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1i61F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1464f2e3dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7144db7eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3r02C.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4696	1i61F8.exe
4696	1i61F8.exe
2252	skotes.exe
2252	skotes.exe
2592	2r8010.exe
2592	2r8010.exe
2592	2r8010.exe
2592	2r8010.exe
2592	2r8010.exe
2592	2r8010.exe
5840	1464f2e3dd.exe
5840	1464f2e3dd.exe
5840	1464f2e3dd.exe
5840	1464f2e3dd.exe
5840	1464f2e3dd.exe
5840	1464f2e3dd.exe
3096	5e87bd4b6e.exe
3096	5e87bd4b6e.exe
1620	e7144db7eb.exe
1620	e7144db7eb.exe
2872	3r02C.exe
2872	3r02C.exe
5472	c9ac3a2fdc.exe
5472	c9ac3a2fdc.exe
828	skotes.exe
828	skotes.exe
5768	skotes.exe
5768	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4696	1i61F8.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 4088	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	86
PID 5136 wrote to memory of 4088	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	86
PID 5136 wrote to memory of 4088	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	86
PID 4088 wrote to memory of 4696	4088	G0C76.exe	89
PID 4088 wrote to memory of 4696	4088	G0C76.exe	89
PID 4088 wrote to memory of 4696	4088	G0C76.exe	89
PID 4696 wrote to memory of 2252	4696	1i61F8.exe	91
PID 4696 wrote to memory of 2252	4696	1i61F8.exe	91
PID 4696 wrote to memory of 2252	4696	1i61F8.exe	91
PID 4088 wrote to memory of 2592	4088	G0C76.exe	92
PID 4088 wrote to memory of 2592	4088	G0C76.exe	92
PID 4088 wrote to memory of 2592	4088	G0C76.exe	92
PID 2252 wrote to memory of 5208	2252	skotes.exe	98
PID 2252 wrote to memory of 5208	2252	skotes.exe	98
PID 2252 wrote to memory of 5208	2252	skotes.exe	98
PID 2252 wrote to memory of 5840	2252	skotes.exe	101
PID 2252 wrote to memory of 5840	2252	skotes.exe	101
PID 2252 wrote to memory of 5840	2252	skotes.exe	101
PID 2252 wrote to memory of 3096	2252	skotes.exe	103
PID 2252 wrote to memory of 3096	2252	skotes.exe	103
PID 2252 wrote to memory of 3096	2252	skotes.exe	103
PID 2252 wrote to memory of 1620	2252	skotes.exe	104
PID 2252 wrote to memory of 1620	2252	skotes.exe	104
PID 2252 wrote to memory of 1620	2252	skotes.exe	104
PID 5136 wrote to memory of 2872	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	105
PID 5136 wrote to memory of 2872	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	105
PID 5136 wrote to memory of 2872	5136	5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe	105
PID 2252 wrote to memory of 5472	2252	skotes.exe	106
PID 2252 wrote to memory of 5472	2252	skotes.exe	106
PID 2252 wrote to memory of 5472	2252	skotes.exe	106
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 1620 wrote to memory of 1392	1620	e7144db7eb.exe	111
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115
PID 5472 wrote to memory of 3132	5472	c9ac3a2fdc.exe	115

C:\Users\Admin\AppData\Local\Temp\5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe
"C:\Users\Admin\AppData\Local\Temp\5f30d1e3023737dc9337cadc47141fc1e30ee38c98d00a69e39642885e0e4913.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G0C76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G0C76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i61F8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i61F8.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\1091953001\69635d8063.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091953001\69635d8063.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\1091966001\1464f2e3dd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091966001\1464f2e3dd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5840
    - - C:\Users\Admin\AppData\Local\Temp\1091967001\5e87bd4b6e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091967001\5e87bd4b6e.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\1091968001\e7144db7eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091968001\e7144db7eb.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\1091969001\c9ac3a2fdc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091969001\c9ac3a2fdc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5472
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:3132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2r8010.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2r8010.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r02C.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r02C.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FZFF3Z83\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SUJAQLCI\success[2].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091953001\69635d8063.exe

Filesize
429KB

MD5
a92d6465d69430b38cbc16bf1c6a7210

SHA1
421fadebee484c9d19b9cb18faf3b0f5d9b7a554

SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

SHA512
0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091966001\1464f2e3dd.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091967001\5e87bd4b6e.exe

Filesize
1.8MB

MD5
cd628b34b76fd44d828e69c0eb4529a4

SHA1
1d47f0f1d40afdc61356ccb4f9a1be6fe97f0731

SHA256
b36e04f63b20811a4a277644e7574e64f9f8c29ca67f011ae04551c442686e88

SHA512
959e9ebd955128cbe7cadf2b82f74d75909b3744df6fb0ca2faf7ad99f210339b6c304cab327b56f7b6d2486b4b36ff12c23cdbf7bd8b1e17d91247a6cc230fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091968001\e7144db7eb.exe

Filesize
4.5MB

MD5
07a9196113b1a05e55172e6c94dad84c

SHA1
5563428f09d9e0da52d27d59b70e131cb67ff10e

SHA256
b241d0c102a1b135a837998caa35336bc1c816936fade57a8cd9cf666568fb4f

SHA512
917d5cdf090eb53eb1adc3a7d919ac1a057d6caaef4cb456575a65088a1721167d513d6f1ef2c5691ac19e08b9a7da257950662cfbd43f3474eebcc0f6cbe01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091969001\c9ac3a2fdc.exe

Filesize
3.8MB

MD5
3218b2ac847459e0c866f16474f4f6b2

SHA1
13f7c800f87f99a4ab0b271f80738fed1e8ba446

SHA256
2cf9f461a777988e80fdfc39235daa47c791b1f6c8392c4c6c709cd7944f742e

SHA512
f2727db78270976d02744f107f2be23d607620e90aacfcfc7a1516339114c83dd24ce4657c69e03bca8580958d07350f7b91a9fe2b7dac95806c8165cdf195c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r02C.exe

Filesize
1.7MB

MD5
607a06e4049b3b2ba632242a7c9033c4

SHA1
bfb453debd80cb9ab481c36730c9c0b2c9b41330

SHA256
9758f25984b30da48b2f7eb05178426a53e8cb2aa2e4484ee214920dd7f146d3

SHA512
25ba0fefa2b0a4a3a3878abc5c14b97a5c44b67267063c0766482456843c7b90beca4c072fffae3a7c041ec915aba0318d283699c16730c3f790a88854bc3b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G0C76.exe

Filesize
3.6MB

MD5
15db9be55f74d896358732b6254b87ab

SHA1
5d4e0cc82b552ab358f748674608b09f5dabc5c1

SHA256
87ac9c935aa66d95979a53c8c29d98aabbcc89ba4a323755315e5c9eda72d317

SHA512
3250f505b2e309564b52dcfffde51169953b2fc1017b5ef3e36d7038fa17285be6c291a7b4f5f37c569b3c305abbaefd6583df753be1de8f41e4dc5a151e3633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i61F8.exe

Filesize
3.1MB

MD5
a8c7a8222181ef5df0796e03e7899e1a

SHA1
e086c8bf62281197d61aabb72636703356d3dc15

SHA256
f2bbb54dd3bf7f3b472fca9807d9b9f8c907bf2a083a92b85804801c3a5db775

SHA512
985688f7e8a3554aab1bcdd6b10d7ea936f025d657db16a8fbdb5553233551c4dbd5f5df80761006e18cd21f17a66973c7d278385ca934c8d92553fb433fc48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2r8010.exe

Filesize
2.0MB

MD5
e3b3b6a9c03ddeebc3640de81126eb33

SHA1
1ee2e1d7cfa26638708fed3de757db26e1b1bae7

SHA256
f9fe4f60cb0d58fdf574ea905a92531d09ed0a0db0bd847986e867858a6236ec

SHA512
fa92660629aa776a7c8a860994f4a0f73a2751e9436a552d0371e25f8049be135690447e0711dcfccc36b6be164045a0835238c7b9fcf2c3ab53222b6de1f5d2

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
68b10d9a95fa5871e4fd0ce94447bd82

SHA1
086aa0d9604bc3c38fcbd45b57b76c541f7c6b50

SHA256
dd5e73be60d20d562e21ecef683b8a31b88a96aa38a489379deb0e5545455230

SHA512
216e755af9ed8f1720112102bc0c91896dd1c1f4c341d294fa476b730b7267735480318094b3df061baf454ca9212f897136f7c39de9448601927cb8a4e8e7cd

Download Submit
memory/828-159-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/828-158-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/1392-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-143-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1620-132-0x0000000000200000-0x0000000000E3D000-memory.dmp

Filesize
12.2MB

Download
memory/1620-139-0x0000000000200000-0x0000000000E3D000-memory.dmp

Filesize
12.2MB

Download
memory/1620-131-0x0000000000200000-0x0000000000E3D000-memory.dmp

Filesize
12.2MB

Download
memory/1620-106-0x0000000000200000-0x0000000000E3D000-memory.dmp

Filesize
12.2MB

Download
memory/2252-70-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-33-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-107-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-213-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-212-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-211-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-210-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-209-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-205-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-204-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-203-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-68-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-193-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-134-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-178-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2252-168-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/2592-72-0x0000000000550000-0x00000000009E4000-memory.dmp

Filesize
4.6MB

Download
memory/2592-37-0x0000000000550000-0x00000000009E4000-memory.dmp

Filesize
4.6MB

Download
memory/2592-108-0x0000000000550000-0x00000000009E4000-memory.dmp

Filesize
4.6MB

Download
memory/2592-109-0x0000000000550000-0x00000000009E4000-memory.dmp

Filesize
4.6MB

Download
memory/2872-130-0x0000000000230000-0x00000000008CA000-memory.dmp

Filesize
6.6MB

Download
memory/2872-113-0x0000000000230000-0x00000000008CA000-memory.dmp

Filesize
6.6MB

Download
memory/3096-88-0x0000000000B00000-0x00000000011AE000-memory.dmp

Filesize
6.7MB

Download
memory/3096-90-0x0000000000B00000-0x00000000011AE000-memory.dmp

Filesize
6.7MB

Download
memory/3132-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-15-0x0000000077974000-0x0000000077976000-memory.dmp

Filesize
8KB

Download
memory/4696-18-0x0000000000630000-0x0000000000949000-memory.dmp

Filesize
3.1MB

Download
memory/4696-31-0x0000000000630000-0x0000000000949000-memory.dmp

Filesize
3.1MB

Download
memory/4696-16-0x0000000000631000-0x0000000000699000-memory.dmp

Filesize
416KB

Download
memory/4696-14-0x0000000000630000-0x0000000000949000-memory.dmp

Filesize
3.1MB

Download
memory/4696-17-0x0000000000630000-0x0000000000949000-memory.dmp

Filesize
3.1MB

Download
memory/4696-32-0x0000000000631000-0x0000000000699000-memory.dmp

Filesize
416KB

Download
memory/5472-129-0x0000000000C00000-0x0000000001623000-memory.dmp

Filesize
10.1MB

Download
memory/5472-155-0x0000000000C00000-0x0000000001623000-memory.dmp

Filesize
10.1MB

Download
memory/5472-148-0x0000000000C00000-0x0000000001623000-memory.dmp

Filesize
10.1MB

Download
memory/5472-147-0x0000000000C00000-0x0000000001623000-memory.dmp

Filesize
10.1MB

Download
memory/5768-208-0x0000000000620000-0x0000000000939000-memory.dmp

Filesize
3.1MB

Download
memory/5840-73-0x0000000000370000-0x000000000066B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-69-0x0000000000370000-0x000000000066B000-memory.dmp

Filesize
3.0MB

Download