Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe
Resource
win7-20240903-en
General
-
Target
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe
-
Size
1.8MB
-
MD5
72683bf9c6f350a7af5d18a98462fcdf
-
SHA1
1fd96a421e53351f72998a1a72f923b36e866a0b
-
SHA256
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
-
SHA512
989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
SSDEEP
49152:eu/AKF/HKZIZwiv29BZlYif1AYO5regp:F/AE/HmIiie9TlYC1Anreg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral2/memory/3256-3225-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 43cf261ac4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 43cf261ac4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 43cf261ac4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 43cf261ac4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 43cf261ac4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 43cf261ac4.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3248 created 2488 3248 rh.exe 42 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c839fdb833.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 43cf261ac4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 64d488fae4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 92e94ce798.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rh.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1872 chrome.exe 5504 chrome.exe 3080 chrome.exe 2392 chrome.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 64d488fae4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 43cf261ac4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 43cf261ac4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 92e94ce798.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 64d488fae4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 92e94ce798.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c839fdb833.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c839fdb833.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 92e94ce798.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 13 IoCs
pid Process 4308 skotes.exe 3204 skotes.exe 3636 5468191780.exe 3248 rh.exe 1432 64d488fae4.exe 3988 c839fdb833.exe 3680 10dfb4f667.exe 3836 43cf261ac4.exe 5148 skotes.exe 3256 92e94ce798.exe 2164 service123.exe 5288 skotes.exe 1060 service123.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine c839fdb833.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 92e94ce798.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine rh.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 64d488fae4.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 43cf261ac4.exe -
Loads dropped DLL 3 IoCs
pid Process 3636 5468191780.exe 2164 service123.exe 1060 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 43cf261ac4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 43cf261ac4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\43cf261ac4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008509001\\43cf261ac4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64d488fae4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008506001\\64d488fae4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c839fdb833.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008507001\\c839fdb833.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10dfb4f667.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008508001\\10dfb4f667.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023c92-136.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 4308 skotes.exe 3204 skotes.exe 3248 rh.exe 1432 64d488fae4.exe 3988 c839fdb833.exe 3836 43cf261ac4.exe 5148 skotes.exe 3256 92e94ce798.exe 5288 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3636 set thread context of 3188 3636 5468191780.exe 91 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2308 3636 WerFault.exe 89 3632 3248 WerFault.exe 97 4568 3256 WerFault.exe 128 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10dfb4f667.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c839fdb833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64d488fae4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92e94ce798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5468191780.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43cf261ac4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 92e94ce798.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 92e94ce798.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 2004 taskkill.exe 4888 taskkill.exe 4540 taskkill.exe 2604 taskkill.exe 4316 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 4308 skotes.exe 4308 skotes.exe 3204 skotes.exe 3204 skotes.exe 3248 rh.exe 3248 rh.exe 3248 rh.exe 3248 rh.exe 3248 rh.exe 3248 rh.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 1432 64d488fae4.exe 1432 64d488fae4.exe 3988 c839fdb833.exe 3988 c839fdb833.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3836 43cf261ac4.exe 3836 43cf261ac4.exe 3836 43cf261ac4.exe 3836 43cf261ac4.exe 3836 43cf261ac4.exe 5148 skotes.exe 5148 skotes.exe 3256 92e94ce798.exe 3256 92e94ce798.exe 5504 chrome.exe 5504 chrome.exe 5288 skotes.exe 5288 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2604 taskkill.exe Token: SeDebugPrivilege 4316 taskkill.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 4888 taskkill.exe Token: SeDebugPrivilege 4540 taskkill.exe Token: SeDebugPrivilege 2932 firefox.exe Token: SeDebugPrivilege 2932 firefox.exe Token: SeDebugPrivilege 3836 43cf261ac4.exe Token: SeShutdownPrivilege 5504 chrome.exe Token: SeCreatePagefilePrivilege 5504 chrome.exe Token: SeShutdownPrivilege 5504 chrome.exe Token: SeCreatePagefilePrivilege 5504 chrome.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe 5504 chrome.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe 3680 10dfb4f667.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2932 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 4308 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 82 PID 640 wrote to memory of 4308 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 82 PID 640 wrote to memory of 4308 640 dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe 82 PID 4308 wrote to memory of 3636 4308 skotes.exe 89 PID 4308 wrote to memory of 3636 4308 skotes.exe 89 PID 4308 wrote to memory of 3636 4308 skotes.exe 89 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 3636 wrote to memory of 3188 3636 5468191780.exe 91 PID 4308 wrote to memory of 3248 4308 skotes.exe 97 PID 4308 wrote to memory of 3248 4308 skotes.exe 97 PID 4308 wrote to memory of 3248 4308 skotes.exe 97 PID 3248 wrote to memory of 2776 3248 rh.exe 98 PID 3248 wrote to memory of 2776 3248 rh.exe 98 PID 3248 wrote to memory of 2776 3248 rh.exe 98 PID 3248 wrote to memory of 2776 3248 rh.exe 98 PID 3248 wrote to memory of 2776 3248 rh.exe 98 PID 4308 wrote to memory of 1432 4308 skotes.exe 101 PID 4308 wrote to memory of 1432 4308 skotes.exe 101 PID 4308 wrote to memory of 1432 4308 skotes.exe 101 PID 4308 wrote to memory of 3988 4308 skotes.exe 104 PID 4308 wrote to memory of 3988 4308 skotes.exe 104 PID 4308 wrote to memory of 3988 4308 skotes.exe 104 PID 4308 wrote to memory of 3680 4308 skotes.exe 105 PID 4308 wrote to memory of 3680 4308 skotes.exe 105 PID 4308 wrote to memory of 3680 4308 skotes.exe 105 PID 3680 wrote to memory of 2604 3680 10dfb4f667.exe 106 PID 3680 wrote to memory of 2604 3680 10dfb4f667.exe 106 PID 3680 wrote to memory of 2604 3680 10dfb4f667.exe 106 PID 3680 wrote to memory of 4316 3680 10dfb4f667.exe 108 PID 3680 wrote to memory of 4316 3680 10dfb4f667.exe 108 PID 3680 wrote to memory of 4316 3680 10dfb4f667.exe 108 PID 3680 wrote to memory of 2004 3680 10dfb4f667.exe 110 PID 3680 wrote to memory of 2004 3680 10dfb4f667.exe 110 PID 3680 wrote to memory of 2004 3680 10dfb4f667.exe 110 PID 3680 wrote to memory of 4888 3680 10dfb4f667.exe 112 PID 3680 wrote to memory of 4888 3680 10dfb4f667.exe 112 PID 3680 wrote to memory of 4888 3680 10dfb4f667.exe 112 PID 3680 wrote to memory of 4540 3680 10dfb4f667.exe 114 PID 3680 wrote to memory of 4540 3680 10dfb4f667.exe 114 PID 3680 wrote to memory of 4540 3680 10dfb4f667.exe 114 PID 3680 wrote to memory of 3836 3680 10dfb4f667.exe 116 PID 3680 wrote to memory of 3836 3680 10dfb4f667.exe 116 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 PID 3836 wrote to memory of 2932 3836 firefox.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2488
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 10124⤵
- Program crash
PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 5364⤵
- Program crash
PID:3632
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008506001\64d488fae4.exe"C:\Users\Admin\AppData\Local\Temp\1008506001\64d488fae4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\1008507001\c839fdb833.exe"C:\Users\Admin\AppData\Local\Temp\1008507001\c839fdb833.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\1008508001\10dfb4f667.exe"C:\Users\Admin\AppData\Local\Temp\1008508001\10dfb4f667.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f550be11-3478-4a16-888d-9e54d137ce84} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" gpu6⤵PID:1268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8290a00-7214-49cc-90aa-76962b2e0fc3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" socket6⤵PID:3720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3408 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2736403-e222-4e4a-a1eb-a9a21159f54d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵PID:5056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 2 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a33a920-d61e-49d5-90bf-492a9a28d57c} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵PID:1392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4572 -prefMapHandle 4568 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {739b398b-5f10-46df-92df-5693ced49478} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" utility6⤵
- Checks processor information in registry
PID:2296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af18dbbe-b07d-4e00-b2ef-0ca391ccf5dd} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵PID:5976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1058134b-ee82-4bb1-b8a5-87b9bc417500} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵PID:6000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {283a094f-d2bf-44e7-8eae-99ba77213828} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵PID:6052
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008509001\43cf261ac4.exe"C:\Users\Admin\AppData\Local\Temp\1008509001\43cf261ac4.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\1008510001\92e94ce798.exe"C:\Users\Admin\AppData\Local\Temp\1008510001\92e94ce798.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3256 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5504 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9278ecc40,0x7ff9278ecc4c,0x7ff9278ecc585⤵PID:5728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:25⤵PID:5844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1856,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2072 /prefetch:35⤵PID:5308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:85⤵PID:5848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:15⤵
- Uses browser remote debugging
PID:2392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:15⤵
- Uses browser remote debugging
PID:3080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:15⤵
- Uses browser remote debugging
PID:1872
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 13044⤵
- Program crash
PID:4568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 36361⤵PID:2604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3248 -ip 32481⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5148
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3256 -ip 32561⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5288
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD52dd112a8b2848a0f901aad0b8f1f98c1
SHA1847b5eea635068d94df0d4fe11ebaa1f5dad1dc3
SHA256db1a5360ec9fd1a3ca054a77deaeaeea5be428b1e0e58f0dc1c5f09212409157
SHA5127bda74970e5c7e223e4a90cfc109918d5f0a43aa2188e9b1af230f559b9977027fd93ca8ba4b41149e0e9ea974c52fd4ba94f1562399fa5b759fe56a4e6a2936
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD532a0f9baa00a7a260f11671c6642365f
SHA109f10275c54b59df147639e528927325fcaf016a
SHA2569c8e134cc750a6105134790f0558bd295e412a9ca4c106e6160029437bec8d9d
SHA512cb3f6d1344d0822a232e930cfb05a470d82a8599ffaa8561bee52ca785455fb3ce606a2ce58c606d8eb704fab947fdc1fbc4ac342c266b387303c48a3b456368
-
Filesize
649KB
MD5e7aa83909ace3906ec75144cc33e024c
SHA1333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA25624443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
SHA512508fd7984ea8b9d8c8b2cd3c7c3587941a6ee4627c7cf54fe56db7db75dbff0abdaf0db1b0c46876dc6ad0cc21735bd7a2f0351d5edeb735b2de796beef2ea72
-
Filesize
1.9MB
MD54cecb04d97630cc2d5cce80368b87fdd
SHA14f693736497e06c820b91597af84c6fece13408b
SHA25651698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66
-
Filesize
1.8MB
MD5acc594995958c5cf5f107fe27db38f8e
SHA192b6e9ee6a4a61b292883566738f8b7e038f5eb1
SHA2562c3841d0070158d8f5824289380656aad74c190ddfd4ee8240eefbfd16988b89
SHA512e82304a2948ab275c1b243255ce5dc01e5e2763f766eaea6915f6e7be0d130ab7e92d52b38f8f1186d30c809a7da2697f06bf55eb9152a52c81a26df8f21373c
-
Filesize
1.7MB
MD56af05407143697f6c49bd94e5903f73a
SHA1003809f7aa6cb6ab5bf4ddb22dc659f22f0879ef
SHA256e4853246b4c0b4d13aa84e929cf4313961f176e893a8c1c29720a1eb7f68c5a7
SHA51242447c96152cfd43f6ba7d7533edc62e10e66eab6030c8914bcf1af64d6980b29d1ac6a960fb6a1e3699ce68a8fad92684f2c3ebe11009f911d2b98e49f61b5e
-
Filesize
900KB
MD57f05860baee4ff5da95e342eaee96e85
SHA1a909d75ee89b3123f66c6ab227106c66e8cb5fb7
SHA256dabb569816b302dccb1fa4c032f5e39a2660d32c3f95ece75e9ebf4144ce0b17
SHA512a963cabe33d4f92041a1731afae796add8fd1ebb448583edfa9cf1a7e427bad514881b9dbf3d404c700d3bb24beab89fad4266fbaefd1aef3e76d4fad05bc0d0
-
Filesize
2.7MB
MD59a939117e7e796c8036b7a92bac70c4f
SHA174fe3772448794929f7f18f1c72f4f388b573468
SHA256d94dec75c03b2044787f940bd7d96bf066eeada41e23854726ec54f2ff77bd72
SHA512a722c1af22a5b67f5618b080f561977dbe5686abe1923a618a67a9c643a4cf814c033869625585cd8bff603f342a8ccfe2103654d9d6cc2bd87d56c097b651ec
-
Filesize
4.2MB
MD515a46db0313993e635e8a7f4ae91f44a
SHA193f7e0d18cda291de56f04e2ad35fff64446eb62
SHA256aa421056287f6114a5932fc6fe92734a06fb0760567b1086774d25881b6bf4a1
SHA5121ebc9e6e2e35dac10752f4e11466f0310af10c9911f004f41455d175602a199cb17a91297733179d3d0ee59801431464da62fc1e4f8639f0ba244c16076c2258
-
Filesize
1.8MB
MD572683bf9c6f350a7af5d18a98462fcdf
SHA11fd96a421e53351f72998a1a72f923b36e866a0b
SHA256dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
SHA512989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize18KB
MD5436d993a5baeededd3eb5a67239f3701
SHA1f673db3274aa1d60bfac3347efe71a11d2d80c62
SHA2568d0c8923287d98a429fe2002981bff58635904fefb9150ab996c703f8b297313
SHA512949c35e54d25102e00aee77b944d8257548c81c518abbeaf542c5fe639cfef394d997b8c15a62031bc7f4306a81ee7b6bd252acd41d10543fde5dd37a1a0713a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD5bc82e422d891b9380b8db01de48375c4
SHA18d793c6f6cef9dd108bb0eb5ef177c542ae0ffd2
SHA2563701955c8094b7bcbe1cdc4bcda5bd5e4a27cdfd4550fc17d0923d875be3ca4d
SHA5129447a671a687c02f0126c0418870cced6d0d453059c0b039aba067b12118a3bf4b83d699ed930e57f6aef68a567954a10cdf57d0299fafa991fe58f5c2c319d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize12KB
MD5b61cfc61b1b060cfa178aec5c0b5c095
SHA152902eccce5735cb8416397897a3f3bc02ce11df
SHA25636169b75d368f2cc2cff9a9260fe5a78b0ca8e590b0aefdd7e6a834f117b51ab
SHA512fba3b3c295bfe4030ec62e5129e997990c066930b044131ae137e1f46fd6d19cd8df623cd4724b2a043fc3eb6c2363e37901490a1fd6ee99b32b57a060bc98ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize13KB
MD57b81695f85cbf7eac3aa034d069c90c8
SHA197bee937e4565e2f421148aaef1e21ac46e1f4cb
SHA256113cfe4d82127a6b40af16ecf6a7dc9179ad91fe866e7d0672869b437c64b15a
SHA512236b0c074ea23073c567551bf99e4d1c568a281df5e77ff673d32b368571f440a1cec05dc863cd776df7d7ee5ed7ee58da21c6a03c5bdbc37a735cf384104745
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD56851716c426cfe5816a862651142f142
SHA1af7e7d4632b8d1f0ad9885f8ca86aa813ee96ff8
SHA25612edc8a64cd9d3930ad61307f69568700b6a937fe17e085f3f4ab40588537815
SHA5127d8662c2194264f8ba81f3a92e4a223dbd2a74f787eb070ec829a9a89102a4bcb19c3a3538058eae8a1a435d545451715ebfa84f43f82e16981a1fd2e055ad4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5230f5720540dc1b47f711b57f69d3c47
SHA1f014a0ca1dddc89a43873190527bebdb932ed5d7
SHA256fe70d2ec7e660a84519b153f254f95f80d4325740020b189181211668eb88d2e
SHA512b12e32fd5d4647bca270a2faf882811967bb777788cae768345c431474beee14dbfefd64771d1aec45bc62af73c7fd96610d739f60c2f3b21ca4f5af57dd456d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\5745d185-eca7-4c84-ab72-8be13af38b67
Filesize671B
MD59a3f0849e70037aaeff712fe90fe5229
SHA181483518d8ad1cbe0574198107e8ec75e7e51404
SHA25672cf1c64c41fb1bd468a65dd07c0562bd192608c2cc47afea3d739d23ffdb6db
SHA5121a83793ead2815e4a06191478b05a1dc5b71c1be9856a7b4e9de3f5fbe6c5c33686e1629d392923f319d9dfb047322eee4670448c70e2f5883a9aa728f5ca0d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\98b0272e-7f3e-4ed8-8f28-229b5c1c2b51
Filesize982B
MD5891c1855874886cbc48e45cdc9cf9054
SHA1a6ad7affbb634c6dd61241f3e9a3a864a10882de
SHA256249976a99c3210821553e63780b98d065c9075f1de8687b1030b8ecb8997badf
SHA5122aa324652d53f86a418de7e482d71df1275a98239bc5d800aa032d4b89324a948737b08406ee14df730e12f21ad065202419e6946693132b832672f52f306905
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\c5e612b3-faeb-429a-9792-7783bea3784e
Filesize26KB
MD5ad9654c43fc2bb19d2f4180a6e098afb
SHA1a73186caf6f4fb7c46d249ffa765f6f1b54bbedf
SHA25601c0a58e7980d2b5942aa35dcbd12734b29d66a6734462e67c0fc7d8c6b1f0ef
SHA512e5f2647ae11f9936f767f5f305b5a1fe7c892795b10fa80671a5912a5add3af72454cd22ff6c150e36e153d4d5b2d1e419a2607f312146a95bf55b6de1082ef8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5c730508619fcd91d1efd32f7c40f088a
SHA13d3e4d57a8eaeea2656b3decc7087aa31fd2563f
SHA25692da38f89d4cd3289278abd592b798a3ef7c468801621b5dbddab70ca8a1935f
SHA512ef0bbffce5cd574236bf85816d3e8d9f843bb8d8f89055ac33c47e062a7e208e83e062e2751d81dd00fb1fa9b9f2ab2c55dbbf92c5bbf1c53ea27131b74d3db2
-
Filesize
12KB
MD591d9a6f20b865ba45003f1dfa4e90389
SHA1bedbfb41d915028481782f02801438f4180ee796
SHA256ea2a768163bda7df9379577dd4b9701f620f8f778cd128ae804dde4f80817855
SHA512d8701f7cf87c42947e37067ba265a7fc06dbdb2efed6e3f2baabedbf5e371dcffdf3c6432e3482012304d74197155dab7bf2d829277858e8be02e411cccc6516
-
Filesize
10KB
MD57316597151925d46238514daed6d44ae
SHA16aed2a81119433d195ca88d58c7c3b6e00ff0b1a
SHA256ab0200ce35418cb40f9914cd73832b297fec778930ba869ff3a4b9eefa80b582
SHA5123c2d4e60c4692c0d487a4459b419f8bbdc2af5b2f41b3b8e2498e4b6c2d32aebf4c8961804bc9517bc6c334a474cbde1dcd1afc5c2096db706135b836427acd7
-
Filesize
10KB
MD51e6184cee247d65c3fcb02e40d773870
SHA1caf0048c60adab5486f4ec94e73badc7f213249d
SHA25600afd5384201052c0ce36cd72bce0971673c2e9214405de9095c2e4f99858f0a
SHA5121c1024a2d46cc73de48fcc6c6102f45265d0df4539e0a3886aec3c9364091dc234820bd389160ec3d4a149f16289fd1c7a490d4efd0d8ff45cc7fe7f2177c095
-
Filesize
401KB
MD53535fcd3063a2965f1dd8f9b65ca8355
SHA11f5c89caf911a08415d55ce1687101b65871b122
SHA256086057602eec63ed064bd97c1643b20c727aa4a557d16bd26a763716414620fe
SHA5129b623500ffbe25d6dc08c3c90aeb8c123e9fc2841f0962b6fe57ca1d2ab44fb1062352e1d5ab1d506b156c0b25aaf96ca6267a36fd064c97c12df965bcd66929