Analysis
-
max time kernel
153s -
max time network
289s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe
Resource
win7-20240903-en
General
-
Target
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe
-
Size
1.8MB
-
MD5
f410dd5b8dfcde566dd8947dec56f687
-
SHA1
6caf30145a82f521aee48f118fb31fec46bd549b
-
SHA256
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7
-
SHA512
33ad32362cc5da60df1913533231763dbc21ac8ec1e8784e488cbbb32bf37469828bbb3df4cff2f38b8085ff9b9d7af7cea55255a4fc2b9d34acf9b8ea0620bb
-
SSDEEP
24576:FSmOOscGxQrF8jb9IV79GVmX5Up41ijnoCuFihNgr4AiYFU0WLjvzx58MGdjZcIy:m/cGxQBE2V7DX5B1ib7hXUMGtPjo
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exea6a1568286.exe741f765837.exed9921315e8.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a6a1568286.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 741f765837.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d9921315e8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exea6a1568286.exe741f765837.exed9921315e8.exeaxplong.exe8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a6a1568286.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 741f765837.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d9921315e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d9921315e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a6a1568286.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 741f765837.exe -
Executes dropped EXE 6 IoCs
Processes:
skotes.exea6a1568286.exe741f765837.exe0ba7897725.exed9921315e8.exeaxplong.exepid process 2596 skotes.exe 2060 a6a1568286.exe 2280 741f765837.exe 936 0ba7897725.exe 444 d9921315e8.exe 1668 axplong.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exea6a1568286.exe741f765837.exed9921315e8.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine a6a1568286.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 741f765837.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine d9921315e8.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine axplong.exe -
Loads dropped DLL 8 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exed9921315e8.exepid process 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe 2596 skotes.exe 2596 skotes.exe 2596 skotes.exe 2596 skotes.exe 2596 skotes.exe 2596 skotes.exe 444 d9921315e8.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\741f765837.exe = "C:\\Users\\Admin\\1000026002\\741f765837.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\0ba7897725.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\0ba7897725.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\a6a1568286.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\a6a1568286.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000028001\0ba7897725.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exea6a1568286.exe741f765837.exed9921315e8.exeaxplong.exepid process 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe 2596 skotes.exe 2060 a6a1568286.exe 2280 741f765837.exe 444 d9921315e8.exe 1668 axplong.exe -
Drops file in Windows directory 2 IoCs
Processes:
d9921315e8.exe8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exedescription ioc process File created C:\Windows\Tasks\axplong.job d9921315e8.exe File created C:\Windows\Tasks\skotes.job 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a6a1568286.exe741f765837.exe0ba7897725.exed9921315e8.exeaxplong.exe8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6a1568286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 741f765837.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ba7897725.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9921315e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exea6a1568286.exe741f765837.exechrome.exe0ba7897725.exepid process 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe 2596 skotes.exe 2060 a6a1568286.exe 2280 741f765837.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0ba7897725.exepid process 936 0ba7897725.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe Token: SeShutdownPrivilege 1640 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe0ba7897725.exechrome.exed9921315e8.exepid process 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe 936 0ba7897725.exe 936 0ba7897725.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe 936 0ba7897725.exe 444 d9921315e8.exe 936 0ba7897725.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
0ba7897725.exechrome.exepid process 936 0ba7897725.exe 936 0ba7897725.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 1640 chrome.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe 936 0ba7897725.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exeskotes.exe0ba7897725.exechrome.exedescription pid process target process PID 2260 wrote to memory of 2596 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe skotes.exe PID 2260 wrote to memory of 2596 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe skotes.exe PID 2260 wrote to memory of 2596 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe skotes.exe PID 2260 wrote to memory of 2596 2260 8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe skotes.exe PID 2596 wrote to memory of 2060 2596 skotes.exe a6a1568286.exe PID 2596 wrote to memory of 2060 2596 skotes.exe a6a1568286.exe PID 2596 wrote to memory of 2060 2596 skotes.exe a6a1568286.exe PID 2596 wrote to memory of 2060 2596 skotes.exe a6a1568286.exe PID 2596 wrote to memory of 2280 2596 skotes.exe 741f765837.exe PID 2596 wrote to memory of 2280 2596 skotes.exe 741f765837.exe PID 2596 wrote to memory of 2280 2596 skotes.exe 741f765837.exe PID 2596 wrote to memory of 2280 2596 skotes.exe 741f765837.exe PID 2596 wrote to memory of 936 2596 skotes.exe 0ba7897725.exe PID 2596 wrote to memory of 936 2596 skotes.exe 0ba7897725.exe PID 2596 wrote to memory of 936 2596 skotes.exe 0ba7897725.exe PID 2596 wrote to memory of 936 2596 skotes.exe 0ba7897725.exe PID 936 wrote to memory of 1640 936 0ba7897725.exe chrome.exe PID 936 wrote to memory of 1640 936 0ba7897725.exe chrome.exe PID 936 wrote to memory of 1640 936 0ba7897725.exe chrome.exe PID 936 wrote to memory of 1640 936 0ba7897725.exe chrome.exe PID 1640 wrote to memory of 2496 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2496 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2496 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 2960 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 1784 1640 chrome.exe chrome.exe PID 1640 wrote to memory of 1784 1640 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe"C:\Users\Admin\AppData\Local\Temp\8bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\1000023001\a6a1568286.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\a6a1568286.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Users\Admin\1000026002\741f765837.exe"C:\Users\Admin\1000026002\741f765837.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\1000028001\0ba7897725.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\0ba7897725.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8179758,0x7fef8179768,0x7fef81797785⤵PID:2496
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:25⤵PID:2960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:85⤵PID:1784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:85⤵PID:2980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:15⤵PID:2012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:15⤵PID:2372
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3040 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:15⤵PID:1760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:25⤵PID:2848
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 --field-trial-handle=1368,i,4727389630086323033,5799969332093369683,131072 /prefetch:85⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\1000029001\d9921315e8.exe"C:\Users\Admin\AppData\Local\Temp\1000029001\d9921315e8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:444 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1668
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2820
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ef99277-d620-4598-9e26-8816de521da9.tmp
Filesize6KB
MD5935dbde76ecb41b75692bac5d503e1fe
SHA1f55041224cbe21c44dd0f01f115805dea5d79e95
SHA2562b0cba028c509fe3a50593e7f729d40762c86158364d2192d4e52733e7af8976
SHA512a828dafdc49aa6e4ad9df156d2e53f88e2bf9ad34e9cc2747e91b23fe8294a3bd29a591994a5677ec1f32db5391998ae217817e5095b52fe14f6b44efb85b883
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD561ed83777ac23c1af26dc9fa7dc81fd8
SHA129a3d75edacbdaaa84f1fe9883b09264c2eaeb09
SHA2568f3185ee95fb6c88f3c0833ce8aa41f54a2d5d49bada3f3b6c0f54652cbee29b
SHA5126873b988b3ecf054db57dae46a31a4ccfe01233eba3da2dcdc511b2fc0b8c9118e3a045a168a13d3dc536f344566344969099c8057db5cb5fdbc55340fb86ae5
-
Filesize
2KB
MD5e1dabe443b78cbc1957ad5901239c67a
SHA1cc1adb3e59dc899e93c6cb4d4682a62c7d260894
SHA2564f7df2b4a739537992f627338623bbf8cd9e54c7e18f7b9129b844bc0a646825
SHA5120f80e265b83fc7744cf3fcd4be76fc68b9ffa02177895c979b19f71ac9d267a72746bf4318ad55af32666bdb1cf04c2e9522677f2ce135ecffa3d192c608221a
-
Filesize
2KB
MD59413d0189d1fbb6fea64b444d250864d
SHA1a82d5d5f2c13e6150b0e6a2663b181466caa7e02
SHA256f1f298862bcc6add19dd0cb8266ea93f0819d6be4b3a4640ca1c131b944f6e1c
SHA5124964b77944417df7dab664a68982ace136563115f3b20b3be9116bdf4e111ff0d2cc0a83c6a389adc854d7e2bfca1360b07b349052df9986452fc55d883c7198
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1.8MB
MD5b1197df51b22f8d4c9c9e0e552e8a627
SHA101aa572ac1a7f89bdcbbccb757fb0869f232f954
SHA256a67b224f6e0df8b93806ed24cd1a09afb539d242add6b52f63600f28b65b3d1d
SHA512771fb9f4c32a6fea9265777a319ff605e614a80d679377e10de4117274cfe10a6d3074d1ba0fe5328d2cfe918fd63d59a3731283f1c4bf1935c3b77b021507a3
-
Filesize
1.1MB
MD564956443795d78e8ee8aeabbdf52ff3b
SHA113e90266f2b9a71094f75c721181bd283c416899
SHA256f3b808b6d9692ddfabdf8fd945ae4b607a40383730babea64fd58b320a1d418a
SHA5125f48277dc716dab0e81efcdf79c588b5d59b0af3a7eb76012fdfd95c818a7822e59415f877c416678cbda4239aa4f4e8496056cedc66aafc73fd06ba0d092c21
-
Filesize
1.8MB
MD59e2aebc8881867906fa89542b220e08a
SHA151c910c68ee66e504da5fd47c9521b7c5e0a0f71
SHA256aef3392b2c420d8ceb540efb7251dcee3b6c9ce127aeaa0c7d10e02231c0d759
SHA512845bc8efc3ae27d74d72b467f987087ca7eacdb4071f1dad0ee427f22946aa396938e0e789cf17e0f99ca9ed594acd5d880d754ad97e8f79cdfe172600f4a1bd
-
Filesize
1.8MB
MD5f410dd5b8dfcde566dd8947dec56f687
SHA16caf30145a82f521aee48f118fb31fec46bd549b
SHA2568bc0f9b0aa8c1ad410f3885ac880f1f7e90e807c0aace4a752a2e45c959dbdb7
SHA51233ad32362cc5da60df1913533231763dbc21ac8ec1e8784e488cbbb32bf37469828bbb3df4cff2f38b8085ff9b9d7af7cea55255a4fc2b9d34acf9b8ea0620bb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e