Analysis
-
max time kernel
49s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe
Resource
win7-20240729-en
General
-
Target
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe
-
Size
1.8MB
-
MD5
4524cefb7ae3014bb97ef105b46034c8
-
SHA1
f324b02762bcc28c6d3c4d10773f4603439f5673
-
SHA256
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65
-
SHA512
c7f3bd298e540ae4b825ca4c9b0b21c1c6c8d248cea46d45317f5bf7dd83913bfb21d03222b408302104e41140bf7093df8cbd733f71279ed8b2bf866c798d49
-
SSDEEP
49152:c1SDBa2diRXvIUHeIGe/8R4fmANkGl3zrjzfBlDzU:c8DBXiRXdeVe/8CfmSk+3jXD
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
66211f3836.exe6bb099bf91.exe1ff9ea2e02.exeaxplong.exe6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66211f3836.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6bb099bf91.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ff9ea2e02.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe66211f3836.exe6bb099bf91.exe1ff9ea2e02.exeaxplong.exeskotes.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 66211f3836.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6bb099bf91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ff9ea2e02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 66211f3836.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6bb099bf91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ff9ea2e02.exe -
Executes dropped EXE 6 IoCs
Processes:
skotes.exe66211f3836.exe6bb099bf91.execb657bf7c7.exe1ff9ea2e02.exeaxplong.exepid process 2700 skotes.exe 2208 66211f3836.exe 772 6bb099bf91.exe 808 cb657bf7c7.exe 1680 1ff9ea2e02.exe 2520 axplong.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
skotes.exe66211f3836.exe6bb099bf91.exe1ff9ea2e02.exeaxplong.exe6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 66211f3836.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 6bb099bf91.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 1ff9ea2e02.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe -
Loads dropped DLL 8 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.exe1ff9ea2e02.exepid process 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe 2700 skotes.exe 2700 skotes.exe 2700 skotes.exe 2700 skotes.exe 2700 skotes.exe 2700 skotes.exe 1680 1ff9ea2e02.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\66211f3836.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\66211f3836.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\6bb099bf91.exe = "C:\\Users\\Admin\\1000026002\\6bb099bf91.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cb657bf7c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\cb657bf7c7.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000028001\cb657bf7c7.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.exe66211f3836.exe6bb099bf91.exe1ff9ea2e02.exeaxplong.exepid process 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe 2700 skotes.exe 2208 66211f3836.exe 772 6bb099bf91.exe 1680 1ff9ea2e02.exe 2520 axplong.exe -
Drops file in Windows directory 2 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe1ff9ea2e02.exedescription ioc process File created C:\Windows\Tasks\skotes.job 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe File created C:\Windows\Tasks\axplong.job 1ff9ea2e02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
66211f3836.exe6bb099bf91.execb657bf7c7.exe1ff9ea2e02.exeaxplong.exe6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66211f3836.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6bb099bf91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb657bf7c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ff9ea2e02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.exe66211f3836.exe6bb099bf91.exechrome.exe1ff9ea2e02.exeaxplong.exepid process 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe 2700 skotes.exe 2208 66211f3836.exe 772 6bb099bf91.exe 1940 chrome.exe 1940 chrome.exe 1680 1ff9ea2e02.exe 2520 axplong.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cb657bf7c7.exepid process 808 cb657bf7c7.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe Token: SeShutdownPrivilege 1940 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.execb657bf7c7.exechrome.exe1ff9ea2e02.exepid process 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 1680 1ff9ea2e02.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
cb657bf7c7.exechrome.exepid process 808 cb657bf7c7.exe 808 cb657bf7c7.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 1940 chrome.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe 808 cb657bf7c7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exeskotes.execb657bf7c7.exechrome.exedescription pid process target process PID 2188 wrote to memory of 2700 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe skotes.exe PID 2188 wrote to memory of 2700 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe skotes.exe PID 2188 wrote to memory of 2700 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe skotes.exe PID 2188 wrote to memory of 2700 2188 6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe skotes.exe PID 2700 wrote to memory of 2208 2700 skotes.exe 66211f3836.exe PID 2700 wrote to memory of 2208 2700 skotes.exe 66211f3836.exe PID 2700 wrote to memory of 2208 2700 skotes.exe 66211f3836.exe PID 2700 wrote to memory of 2208 2700 skotes.exe 66211f3836.exe PID 2700 wrote to memory of 772 2700 skotes.exe 6bb099bf91.exe PID 2700 wrote to memory of 772 2700 skotes.exe 6bb099bf91.exe PID 2700 wrote to memory of 772 2700 skotes.exe 6bb099bf91.exe PID 2700 wrote to memory of 772 2700 skotes.exe 6bb099bf91.exe PID 2700 wrote to memory of 808 2700 skotes.exe cb657bf7c7.exe PID 2700 wrote to memory of 808 2700 skotes.exe cb657bf7c7.exe PID 2700 wrote to memory of 808 2700 skotes.exe cb657bf7c7.exe PID 2700 wrote to memory of 808 2700 skotes.exe cb657bf7c7.exe PID 808 wrote to memory of 1940 808 cb657bf7c7.exe chrome.exe PID 808 wrote to memory of 1940 808 cb657bf7c7.exe chrome.exe PID 808 wrote to memory of 1940 808 cb657bf7c7.exe chrome.exe PID 808 wrote to memory of 1940 808 cb657bf7c7.exe chrome.exe PID 1940 wrote to memory of 1404 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1404 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1404 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 1868 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 2984 1940 chrome.exe chrome.exe PID 1940 wrote to memory of 2984 1940 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe"C:\Users\Admin\AppData\Local\Temp\6d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\1000023001\66211f3836.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\66211f3836.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Users\Admin\1000026002\6bb099bf91.exe"C:\Users\Admin\1000026002\6bb099bf91.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Users\Admin\AppData\Local\Temp\1000028001\cb657bf7c7.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\cb657bf7c7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7559758,0x7fef7559768,0x7fef75597785⤵PID:1404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:25⤵PID:1868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:85⤵PID:2984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:85⤵PID:2968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:15⤵PID:2688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:15⤵PID:2908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3172 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:25⤵PID:2720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:15⤵PID:2872
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1284,i,16591192855177689854,7591968930522843690,131072 /prefetch:85⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\1000029001\1ff9ea2e02.exe"C:\Users\Admin\AppData\Local\Temp\1000029001\1ff9ea2e02.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cca29c0e-c5f0-4302-974c-f2da1197b003.tmp
Filesize6KB
MD5d29fcb244d341196187364e444791b60
SHA189e0752fd17cdf5a6a184a4cd2ec960f56625905
SHA2562f936361cecc8e3408159b830492c5669ded41370dedd78e790a3c9cb115a093
SHA512a942f2b8eb2a74a72b16ff210ef7216273e7141e97b0d93126957fa92c87443479b4c8921e257ff1986a279e2fb869d500c30e134d5b8879bd68ed355b2c1d65
-
Filesize
1.8MB
MD52ff9d81435c7d755cb5a6b975ed50ce6
SHA1a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA51246688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235
-
Filesize
1.1MB
MD54d4ce788750f2f654e42e6bfccde419c
SHA133f56a257b9af1d77c085413be668c5d24f9b2e7
SHA256d8ee72c297423711a6580c3bbcaa8e335459fd111352cf024e662d363752097a
SHA51268869a12fe7203c3a13391c6cdc6ca271477c00a42dce3ba1ae03cfb214099ec627e01c4416dcf3d63cb030345433b138a12770020006c497deb682cb4c5e516
-
Filesize
1.8MB
MD573acb4cc181aca9525ab9f599500b9ca
SHA146a29f8b0e10003f85a8eae8a46473d0344650df
SHA2564bc8ab389044aabd25719e924300530feddae8efa8a485cbfd67de8f347132f2
SHA512f84e777e3591e00a8c7ac53ad47554d100aec16f19e143dd69447cd2d3872975c5c673f2ab1a8c66a164d0dec73d8876a7d9064386eb90c0474e55c2187ce5c0
-
Filesize
1.8MB
MD54524cefb7ae3014bb97ef105b46034c8
SHA1f324b02762bcc28c6d3c4d10773f4603439f5673
SHA2566d16626be7eae239b040702b2f228cc7e84e1e76debfcf0ea9250cd52d177b65
SHA512c7f3bd298e540ae4b825ca4c9b0b21c1c6c8d248cea46d45317f5bf7dd83913bfb21d03222b408302104e41140bf7093df8cbd733f71279ed8b2bf866c798d49
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e