Analysis
-
max time kernel
83s -
max time network
278s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe
Resource
win7-20240903-en
General
-
Target
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe
-
Size
1.8MB
-
MD5
f64ca25a2256b91e9c2be8ac99c31dd9
-
SHA1
63b1f44deb4bbc938243817a4604d325dc83b8d5
-
SHA256
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e
-
SHA512
dc225c089d10510fdad771fb6378e749c65932325c226a39b9b3d8b7606d9947f4f796f54fa3543253f6881a3ffdc377a5208c404d58c807560332d7b6ec30b3
-
SSDEEP
49152:1lKqrCJnQv/6WLyxPMNI+dgQmPpZffbqD6OYXlJK5ZS7omx:nKqrt/6U2MNI+ylxxf+0Xm5Zq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exe713b6d630c.exe35a64d197c.exeeddb4f9064.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 713b6d630c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 35a64d197c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eddb4f9064.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exe713b6d630c.exe35a64d197c.exeeddb4f9064.exeaxplong.exeb1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 713b6d630c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 35a64d197c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eddb4f9064.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 713b6d630c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35a64d197c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eddb4f9064.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe -
Executes dropped EXE 6 IoCs
Processes:
skotes.exe713b6d630c.exe35a64d197c.exef8a6401d22.exeeddb4f9064.exeaxplong.exepid process 2348 skotes.exe 1668 713b6d630c.exe 1276 35a64d197c.exe 2600 f8a6401d22.exe 2284 eddb4f9064.exe 2964 axplong.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
35a64d197c.exeeddb4f9064.exeaxplong.exeb1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exe713b6d630c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 35a64d197c.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine eddb4f9064.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 713b6d630c.exe -
Loads dropped DLL 8 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exeeddb4f9064.exepid process 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe 2348 skotes.exe 2348 skotes.exe 2348 skotes.exe 2348 skotes.exe 2348 skotes.exe 2348 skotes.exe 2284 eddb4f9064.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\713b6d630c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\713b6d630c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\35a64d197c.exe = "C:\\Users\\Admin\\1000026002\\35a64d197c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\f8a6401d22.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\f8a6401d22.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000028001\f8a6401d22.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exe713b6d630c.exe35a64d197c.exeeddb4f9064.exeaxplong.exepid process 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe 2348 skotes.exe 1668 713b6d630c.exe 1276 35a64d197c.exe 2284 eddb4f9064.exe 2964 axplong.exe -
Drops file in Windows directory 2 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeeddb4f9064.exedescription ioc process File created C:\Windows\Tasks\skotes.job b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe File created C:\Windows\Tasks\axplong.job eddb4f9064.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
skotes.exe713b6d630c.exe35a64d197c.exef8a6401d22.exeeddb4f9064.exeaxplong.exeb1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 713b6d630c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35a64d197c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8a6401d22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eddb4f9064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exe713b6d630c.exe35a64d197c.exechrome.exef8a6401d22.exepid process 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe 2348 skotes.exe 1668 713b6d630c.exe 1276 35a64d197c.exe 1608 chrome.exe 1608 chrome.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f8a6401d22.exepid process 2600 f8a6401d22.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe Token: SeShutdownPrivilege 1608 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exef8a6401d22.exechrome.exeeddb4f9064.exepid process 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 2284 eddb4f9064.exe 1608 chrome.exe 2600 f8a6401d22.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
f8a6401d22.exechrome.exepid process 2600 f8a6401d22.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 2600 f8a6401d22.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe 1608 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exeskotes.exef8a6401d22.exechrome.exedescription pid process target process PID 2908 wrote to memory of 2348 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe skotes.exe PID 2908 wrote to memory of 2348 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe skotes.exe PID 2908 wrote to memory of 2348 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe skotes.exe PID 2908 wrote to memory of 2348 2908 b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe skotes.exe PID 2348 wrote to memory of 1668 2348 skotes.exe 713b6d630c.exe PID 2348 wrote to memory of 1668 2348 skotes.exe 713b6d630c.exe PID 2348 wrote to memory of 1668 2348 skotes.exe 713b6d630c.exe PID 2348 wrote to memory of 1668 2348 skotes.exe 713b6d630c.exe PID 2348 wrote to memory of 1276 2348 skotes.exe 35a64d197c.exe PID 2348 wrote to memory of 1276 2348 skotes.exe 35a64d197c.exe PID 2348 wrote to memory of 1276 2348 skotes.exe 35a64d197c.exe PID 2348 wrote to memory of 1276 2348 skotes.exe 35a64d197c.exe PID 2348 wrote to memory of 2600 2348 skotes.exe f8a6401d22.exe PID 2348 wrote to memory of 2600 2348 skotes.exe f8a6401d22.exe PID 2348 wrote to memory of 2600 2348 skotes.exe f8a6401d22.exe PID 2348 wrote to memory of 2600 2348 skotes.exe f8a6401d22.exe PID 2600 wrote to memory of 1608 2600 f8a6401d22.exe chrome.exe PID 2600 wrote to memory of 1608 2600 f8a6401d22.exe chrome.exe PID 2600 wrote to memory of 1608 2600 f8a6401d22.exe chrome.exe PID 2600 wrote to memory of 1608 2600 f8a6401d22.exe chrome.exe PID 1608 wrote to memory of 1076 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 1076 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 1076 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 2188 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 636 1608 chrome.exe chrome.exe PID 1608 wrote to memory of 636 1608 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe"C:\Users\Admin\AppData\Local\Temp\b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\1000023001\713b6d630c.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\713b6d630c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1668 -
C:\Users\Admin\1000026002\35a64d197c.exe"C:\Users\Admin\1000026002\35a64d197c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\1000028001\f8a6401d22.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\f8a6401d22.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6719758,0x7fef6719768,0x7fef67197785⤵PID:1076
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:25⤵PID:2188
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:85⤵PID:636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:85⤵PID:1052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:15⤵PID:2776
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:15⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2568 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:15⤵PID:1980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:25⤵PID:2664
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 --field-trial-handle=1244,i,15424569852692032243,15528398402869159550,131072 /prefetch:85⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\1000029001\eddb4f9064.exe"C:\Users\Admin\AppData\Local\Temp\1000029001\eddb4f9064.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2964
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2bebeb98-179b-494c-bc97-94e79cdbf91c.tmp
Filesize6KB
MD52e3a438eb24c70f5f53aa88b7c91cbc9
SHA1247b7680559b1d6482fae6683d66d734bc8368fb
SHA2564af6423f68645bccd82ea211962ddba7eb0f856f0128e14e258d03ccd5ac7bb7
SHA512c581af159355719e96cb98733d00a318650dbd2c2401500686dcd7b1dd7ba5b5636afe3e25101e8d88be7e1222124660fda5b77733041b153f361b767ad13cae
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD57c929bc9b74a0a661733f7a9303478b6
SHA12a99d2a2a18effcd0ad653e5903a1c1aecb8714e
SHA256e78f377f02098adf94b5470b838f28dede4222abb68ed1221ac62ccfffb1333a
SHA512efe11786cdf33f1793e56b4f64d831c079eebe19b1a114fbc4fa5eb4c90033e4092c4bff9d49785490e07b52db5e3c6cb8d843143a16adae01062b128d7b1f39
-
Filesize
2KB
MD5687a4e1ab301412e195f1ff760d976de
SHA1a376b94c4da3c50067fe2665364edb96372190bf
SHA25628e7c30eb022e1e1bea5157ae3bdca031bc2e08c110efbfed4aeb43f7a86b3f7
SHA5120cf5b062d663ab1f2afe3f13567bcdfd602d6ed8c0e004e7baf826fef9687156a86700cd450851199182bdb8e45c9eafb889c36c582f6786586b31341bb1e69b
-
Filesize
2KB
MD5c9240f3567f251b2a29265acdea94fd4
SHA1a3ba68913a5cccd6d217ae7ca28f207f6defc4cc
SHA256a77773a9d26d156492df90141b5aa3b13a2577046cab48687f296752e3668d97
SHA512383eff55f43e6a044b19d091ee447b000c5237708042e93872d9a052e3b4db83ff9300eefee710d81e52b25716aa1bc10e6f91669e44fc6e4a6889c9c62267df
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1.8MB
MD5b1197df51b22f8d4c9c9e0e552e8a627
SHA101aa572ac1a7f89bdcbbccb757fb0869f232f954
SHA256a67b224f6e0df8b93806ed24cd1a09afb539d242add6b52f63600f28b65b3d1d
SHA512771fb9f4c32a6fea9265777a319ff605e614a80d679377e10de4117274cfe10a6d3074d1ba0fe5328d2cfe918fd63d59a3731283f1c4bf1935c3b77b021507a3
-
Filesize
1.1MB
MD564956443795d78e8ee8aeabbdf52ff3b
SHA113e90266f2b9a71094f75c721181bd283c416899
SHA256f3b808b6d9692ddfabdf8fd945ae4b607a40383730babea64fd58b320a1d418a
SHA5125f48277dc716dab0e81efcdf79c588b5d59b0af3a7eb76012fdfd95c818a7822e59415f877c416678cbda4239aa4f4e8496056cedc66aafc73fd06ba0d092c21
-
Filesize
1.8MB
MD59e2aebc8881867906fa89542b220e08a
SHA151c910c68ee66e504da5fd47c9521b7c5e0a0f71
SHA256aef3392b2c420d8ceb540efb7251dcee3b6c9ce127aeaa0c7d10e02231c0d759
SHA512845bc8efc3ae27d74d72b467f987087ca7eacdb4071f1dad0ee427f22946aa396938e0e789cf17e0f99ca9ed594acd5d880d754ad97e8f79cdfe172600f4a1bd
-
Filesize
1.8MB
MD5f64ca25a2256b91e9c2be8ac99c31dd9
SHA163b1f44deb4bbc938243817a4604d325dc83b8d5
SHA256b1339e19adb494bb2dbb4cd5e086ad0cdf23c1e52b450a1034a3212243ac235e
SHA512dc225c089d10510fdad771fb6378e749c65932325c226a39b9b3d8b7606d9947f4f796f54fa3543253f6881a3ffdc377a5208c404d58c807560332d7b6ec30b3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e