Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 08:07
Static task
static1
Behavioral task
behavioral1
Sample
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
Resource
win7-20240903-en
General
-
Target
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
-
Size
435KB
-
MD5
6005662a18ecbc23f89481cb5ae9be73
-
SHA1
bc4ec29220c54fe2cec779f738bae8f0fff91c8c
-
SHA256
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
-
SHA512
e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a
-
SSDEEP
6144:sLq9GFWzmKJaexGmG2ugpIRk71J4AE1oYMEW6GQ4NqffzymNSZQ5FYc5KYi:sG9Ggta2Lpik2lSPQomzymNSMi
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
axplong.exeaxplong.exe42289d687d.exe87b8aec53a.exe3c3b1432d2.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 42289d687d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 87b8aec53a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3c3b1432d2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
87b8aec53a.exe3c3b1432d2.exeaxplong.exeaxplong.exe42289d687d.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 87b8aec53a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3c3b1432d2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 42289d687d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 42289d687d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 87b8aec53a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3c3b1432d2.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exeb7248cc43d.exe3c3b1432d2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation b7248cc43d.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 3c3b1432d2.exe -
Executes dropped EXE 9 IoCs
Processes:
skotes.exeskotes.exe42289d687d.exe87b8aec53a.exeb7248cc43d.exe3c3b1432d2.exeaxplong.exeaxplong.exeaxplong.exepid process 3896 skotes.exe 4352 skotes.exe 1120 42289d687d.exe 4296 87b8aec53a.exe 2000 b7248cc43d.exe 2944 3c3b1432d2.exe 4040 axplong.exe 4036 axplong.exe 1820 axplong.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
42289d687d.exe87b8aec53a.exe3c3b1432d2.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 42289d687d.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 87b8aec53a.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 3c3b1432d2.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87b8aec53a.exe = "C:\\Users\\Admin\\1000026002\\87b8aec53a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b7248cc43d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\b7248cc43d.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
42289d687d.exe87b8aec53a.exe3c3b1432d2.exeaxplong.exeaxplong.exeaxplong.exepid process 1120 42289d687d.exe 4296 87b8aec53a.exe 2944 3c3b1432d2.exe 4040 axplong.exe 4036 axplong.exe 1820 axplong.exe -
Drops file in Windows directory 2 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe3c3b1432d2.exedescription ioc process File created C:\Windows\Tasks\skotes.job 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe File created C:\Windows\Tasks\axplong.job 3c3b1432d2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 33 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3264 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 4568 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 788 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 1864 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 3768 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 4296 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 1924 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 2672 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 5056 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 2504 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 4668 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 4208 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 3848 3896 WerFault.exe skotes.exe 3340 4892 WerFault.exe 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 1680 3896 WerFault.exe skotes.exe 4628 3896 WerFault.exe skotes.exe 4912 4352 WerFault.exe skotes.exe 3752 4352 WerFault.exe skotes.exe 3932 4352 WerFault.exe skotes.exe 4376 4352 WerFault.exe skotes.exe 3992 4352 WerFault.exe skotes.exe 2216 4352 WerFault.exe skotes.exe 4532 4352 WerFault.exe skotes.exe 1740 4352 WerFault.exe skotes.exe 4360 4352 WerFault.exe skotes.exe 1460 4352 WerFault.exe skotes.exe 400 4352 WerFault.exe skotes.exe 4192 4352 WerFault.exe skotes.exe 752 4352 WerFault.exe skotes.exe 1256 4352 WerFault.exe skotes.exe 1432 4352 WerFault.exe skotes.exe 3700 4352 WerFault.exe skotes.exe 412 4352 WerFault.exe skotes.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
87b8aec53a.exeb7248cc43d.exe3c3b1432d2.exeaxplong.exe5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exeskotes.exe42289d687d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87b8aec53a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7248cc43d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c3b1432d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42289d687d.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718980969655976" chrome.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
42289d687d.exe87b8aec53a.exechrome.exe3c3b1432d2.exeaxplong.exeaxplong.exeaxplong.exepid process 1120 42289d687d.exe 1120 42289d687d.exe 4296 87b8aec53a.exe 4296 87b8aec53a.exe 5096 chrome.exe 5096 chrome.exe 2944 3c3b1432d2.exe 2944 3c3b1432d2.exe 4040 axplong.exe 4040 axplong.exe 4036 axplong.exe 4036 axplong.exe 1820 axplong.exe 1820 axplong.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b7248cc43d.exepid process 2000 b7248cc43d.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 5096 chrome.exe 5096 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe Token: SeShutdownPrivilege 5096 chrome.exe Token: SeCreatePagefilePrivilege 5096 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeb7248cc43d.exechrome.exepid process 4892 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 2000 b7248cc43d.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
b7248cc43d.exechrome.exepid process 2000 b7248cc43d.exe 2000 b7248cc43d.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 2000 b7248cc43d.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 5096 chrome.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe 2000 b7248cc43d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exeb7248cc43d.exechrome.exedescription pid process target process PID 4892 wrote to memory of 3896 4892 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 4892 wrote to memory of 3896 4892 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 4892 wrote to memory of 3896 4892 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 4352 wrote to memory of 1120 4352 skotes.exe 42289d687d.exe PID 4352 wrote to memory of 1120 4352 skotes.exe 42289d687d.exe PID 4352 wrote to memory of 1120 4352 skotes.exe 42289d687d.exe PID 4352 wrote to memory of 4296 4352 skotes.exe 87b8aec53a.exe PID 4352 wrote to memory of 4296 4352 skotes.exe 87b8aec53a.exe PID 4352 wrote to memory of 4296 4352 skotes.exe 87b8aec53a.exe PID 4352 wrote to memory of 2000 4352 skotes.exe b7248cc43d.exe PID 4352 wrote to memory of 2000 4352 skotes.exe b7248cc43d.exe PID 4352 wrote to memory of 2000 4352 skotes.exe b7248cc43d.exe PID 2000 wrote to memory of 5096 2000 b7248cc43d.exe chrome.exe PID 2000 wrote to memory of 5096 2000 b7248cc43d.exe chrome.exe PID 5096 wrote to memory of 4628 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 4628 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 3392 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 4236 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 4236 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe PID 5096 wrote to memory of 1360 5096 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 7362⤵
- Program crash
PID:3264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 7922⤵
- Program crash
PID:4568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 8562⤵
- Program crash
PID:788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 9122⤵
- Program crash
PID:1864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 9362⤵
- Program crash
PID:3768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 8602⤵
- Program crash
PID:4296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 11042⤵
- Program crash
PID:1924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 11642⤵
- Program crash
PID:2672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 12442⤵
- Program crash
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 4643⤵
- Program crash
PID:3848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 4723⤵
- Program crash
PID:1680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 4883⤵
- Program crash
PID:4628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 10362⤵
- Program crash
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 14922⤵
- Program crash
PID:4668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 9282⤵
- Program crash
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 10922⤵
- Program crash
PID:3340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4892 -ip 48921⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 48921⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4892 -ip 48921⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4892 -ip 48921⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4892 -ip 48921⤵PID:3260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 48921⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 48921⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4892 -ip 48921⤵PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 48921⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 48921⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4892 -ip 48921⤵PID:4152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4892 -ip 48921⤵PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3896 -ip 38961⤵PID:2460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4892 -ip 48921⤵PID:752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3896 -ip 38961⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3896 -ip 38961⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 5122⤵
- Program crash
PID:4912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 7082⤵
- Program crash
PID:3752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 7282⤵
- Program crash
PID:3932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 7602⤵
- Program crash
PID:4376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 8002⤵
- Program crash
PID:3992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 8762⤵
- Program crash
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 9962⤵
- Program crash
PID:4532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 11922⤵
- Program crash
PID:1740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 14842⤵
- Program crash
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\42289d687d.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 14522⤵
- Program crash
PID:1460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 14322⤵
- Program crash
PID:400 -
C:\Users\Admin\1000026002\87b8aec53a.exe"C:\Users\Admin\1000026002\87b8aec53a.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 16122⤵
- Program crash
PID:4192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 16082⤵
- Program crash
PID:752 -
C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\b7248cc43d.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaf396cc40,0x7ffaf396cc4c,0x7ffaf396cc584⤵PID:4628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1840 /prefetch:24⤵PID:3392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2112 /prefetch:34⤵PID:4236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1756,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:84⤵PID:1360
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:14⤵PID:3040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:14⤵PID:3964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:84⤵PID:2604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,11784198179261215246,3537358380524359198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:84⤵PID:1592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 15722⤵
- Program crash
PID:1256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 14202⤵
- Program crash
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe"C:\Users\Admin\AppData\Local\Temp\1000029001\3c3b1432d2.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 16322⤵
- Program crash
PID:3700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 15042⤵
- Program crash
PID:412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4352 -ip 43521⤵PID:980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4352 -ip 43521⤵PID:4236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4352 -ip 43521⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4352 -ip 43521⤵PID:3568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4352 -ip 43521⤵PID:1140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4352 -ip 43521⤵PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4352 -ip 43521⤵PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4352 -ip 43521⤵PID:1288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4352 -ip 43521⤵PID:2364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4352 -ip 43521⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4352 -ip 43521⤵PID:1184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4352 -ip 43521⤵PID:3832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 43521⤵PID:4208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4352 -ip 43521⤵PID:4496
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4352 -ip 43521⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 43521⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4352 -ip 43521⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1820
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5481c123bde492e5b31174ae20c3128b6
SHA163105b908017f1ccaa1b5ecbf6c6fb1a0aaac5e5
SHA256f0a7898fb9b68acbc9ec0ee83d8961c4aaf1a8ea0d5c67b7577c392880290cb6
SHA5122f86b09455daf43604c56e9e04efa9224dab8e8aa88268890f155cab80ae844cca62c026a2fb48f16c332373c4df1676cff59c7b95327b9073dddcbc243fc970
-
Filesize
288B
MD55484fdc1348d1355cf4f11a9a11b7fba
SHA19c9248a051587f6fcf0c0cb683ad91de4d95395e
SHA256d32271471765f5eeef1cb81a5636cbf8fe52f641b8f92a3e7fba45a8cf0b87d3
SHA512f368a253258fed80a9e04e30cc53d45a8382f558492c7c4994f056b9e9d38d8c72ac78a27381590a410e3d0b176e96e31d7fa4dc81d6543c96f229372a6f19b1
-
Filesize
2KB
MD552cb5196c0ce49b0e6aab5c478245db8
SHA13fbcf19987ae5ff3f3d230b00dcf6ff0f9c558a9
SHA25688d3b9dbca15256030f253db8bd45446bc4ee9094d79e346bb634c4625fa5fef
SHA51203157cc9c95d1acc7c85212126a8e22b86dc9c8d621b62e3fd4d6e16245b449986c4c9861ae610a10faa7289871e4b7efda7421fc9a470949c3ec0c5b065c7f1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
859B
MD50e9795337f454494403df3ee4aa6fe96
SHA1b54bb8a57aec2b437a549e7c5af82f897fe2734b
SHA2565a14901726a0fa2113c36365126d6aaff43b72a4262388c26f6527a0506e80f3
SHA5121963dd0d2af805ac044f88affb49daa39d9c4d95831c33cae8981ee022dfccada36582cdf9e59278a52ffec769a28a0cc1fb33243685af6f9a797908c7975eff
-
Filesize
9KB
MD5647be029e7f06048bff5fd8a2b7ffb29
SHA111f9d411e0aee597d1b8df69b9bb361ceab89b63
SHA2568833e99078b457119c7d2f59041cc7f57c0cfdf267041758497d46eafb516585
SHA512ceba74596fd757659f5cfa152dbbefea2ca22f7cf02961cc09e8bb3270db882454a0e29298bf7cba7ab532c5158bfd0db9ccf2d5622e78c568cb8150756ffa0e
-
Filesize
10KB
MD5bdf9866ece88148fe248b3f7fdf28ea0
SHA1fc3967ce3550649e5ec89f4d89042f19a8b82253
SHA256a2e93c26b5737a1ffa8aa0c5adab9ed061b49c19bedc324f4d9b22cbf9ede317
SHA512612bb6d3d4065ca34fbdbef802019446bb29386e1ac6c19d64a180fd4ac971a9dd65d1af730245c55eaa97cc345347f1298c4bc17ec62681ada667ba2db2ca72
-
Filesize
10KB
MD5fea64bf86a2add96c1063d4fb91e1e89
SHA17f1fbb29ee5278a7ce2bca928eba28a9e4b8c85b
SHA2566ab88986e60bfe286f821cab43dd0ceea8a8037def27f3815248c089803b40fd
SHA512a5f551ac54748aa16967071ca744f08129ae70ebab04dc77f410a2be7f7c050e93a62a02f9001e491fa616c594770be8cc4d287c560d90481c387dc82bf4305c
-
Filesize
9KB
MD5dcdd784004e13668eb3474df58ffd3a6
SHA177067dae47eff54104cb3c20af70e9073720bed9
SHA2566f5e0228c080e1ed7454d04404be6e5df991a5ed5df414f938f288245c03e32c
SHA512ed8d0a481085ec0b4ab8184ac0f6160d1d760f63bc4e4c5760ddea7744d35ca6b4ba0b1ab45f59cba8e7038a3c4f42d14b726e0f1a50aa065117bcad69f121aa
-
Filesize
9KB
MD55cbe653fcab1f240efd0d1fa7b545980
SHA1a0ad0615c11aedae111c12205ff6e0f0b31524ec
SHA256a2154b1279f7c12fa9dae6e56882c54efa55b084164386425b9c9069cf9d7c7c
SHA512f9c284b7c1d3756166ea8d58f64f2ffe7a9d4ef3bec0fabdd04cc28bb32fe5b507ae319c0d54214fb36f31d3e658131666d1d216168fd58c8c2b5034d664a3ab
-
Filesize
15KB
MD52922cf92ec775eb63bf4d1f0671ac69c
SHA18a96ca944ae0f917cb10c8a4c96ba233e9b5d25c
SHA25647a504076384eb36e252516dca456500bf7914e83e5e17220a2964695b26c1d5
SHA5123aed8274fa2c9b7b86a2b8b0a170edf748f6237cc2a2476cedeafc70fe1b8084dadbae3c3f3d758bc4c65c8bf5accc3976ec11540a5947bd1d01a21b539413ed
-
Filesize
212KB
MD5d3d6add8a3f19855464f269d19afba8d
SHA1e64b643e6caf2451a481c580cc9bb0da7fb46d45
SHA256213756a99c0d562f5a194b9f11b0f922e6f1b762dcaa4c4a3d57bfd32684c70d
SHA51256ee080b8755f8c954d0c1e3d8fa7efd35d03ff2f514183a55bc7c715e4d0f3c139e6603c12cc5a0b51be640c95e9f27ff15e73534222279181b9a63cddefd33
-
Filesize
212KB
MD55e95cc8b67853dfb0d67f1214321f81a
SHA181d48ec2f15470eaf7dd05339430a4e0d8216c8d
SHA25648ad9e493ba69eda21c5c5d7196692c20560840a089c65046e1eece89b5c99d6
SHA512c8a2f2fc8fbc929bddd99c38c11854974795f4ebd891b91e9a3339baca36e8193315a1bc15c7dad76be8c85c22b2d0fe3a3155513dd7dedf13ba0dfabab5842f
-
Filesize
1.8MB
MD52ff9d81435c7d755cb5a6b975ed50ce6
SHA1a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA51246688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235
-
Filesize
1.1MB
MD5cda0b8ef0af532cf29045c06142ce1f8
SHA139b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA2563129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA51240f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2
-
Filesize
1.8MB
MD52dbfc6089fd5e3b1aa8a004508a16a37
SHA120331e184251ff628c6e3593511fc6ab93349058
SHA25699bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA51203f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629
-
Filesize
435KB
MD56005662a18ecbc23f89481cb5ae9be73
SHA1bc4ec29220c54fe2cec779f738bae8f0fff91c8c
SHA2565d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
SHA512e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e