Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 17:24
General
-
Target
572ada56cb2c0c3db81fa6cbbbbfc1b2a4e76b4fabc1d7df14b0de94b606b32d.exe
-
Size
1.7MB
-
MD5
26294875129e1c780bc65dd46ac3ab19
-
SHA1
30655e1a0a1e9364eafc10b8203d4d0e3ddbdc9f
-
SHA256
572ada56cb2c0c3db81fa6cbbbbfc1b2a4e76b4fabc1d7df14b0de94b606b32d
-
SHA512
36f7bf6a4be689c41580dd6a7de6720959c1dfd2bf60e99ef5c690efb32027eb3fba2c1b3618ae50876c3dba8a3aa2901460bf79b6893fb63fe3801c690da742
-
SSDEEP
49152:rsICNP1j68mRbSDMF8YZX3V5EwEbHOF51j6:9CNdj68LDkfZXbEwkuF5w
Malware Config
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\572ada56cb2c0c3db81fa6cbbbbfc1b2a4e76b4fabc1d7df14b0de94b606b32d.exe"C:\Users\Admin\AppData\Local\Temp\572ada56cb2c0c3db81fa6cbbbbfc1b2a4e76b4fabc1d7df14b0de94b606b32d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa4bdbcc40,0x7ffa4bdbcc4c,0x7ffa4bdbcc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,11162591877379135483,6544143229449662637,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:83⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffa4bd746f8,0x7ffa4bd74708,0x7ffa4bd747183⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,18094311254647278931,818217335990121898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsBFIJEHCBAK.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\DocumentsBFIJEHCBAK.exe"C:\Users\Admin\DocumentsBFIJEHCBAK.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1009335001\44a52fc953.exe"C:\Users\Admin\AppData\Local\Temp\1009335001\44a52fc953.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009336001\2bcf7c9ea0.exe"C:\Users\Admin\AppData\Local\Temp\1009336001\2bcf7c9ea0.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9986ae1-f3dd-442f-91c8-9f74b9600513} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" gpu8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {525d9add-f706-4e3e-a57e-6eef7f2e8e10} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" socket8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73378fe0-b4d2-4f61-a95f-8acf727b633b} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 2816 -prefMapHandle 1236 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a83e94b9-c716-49b3-b831-2a0725203c85} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8df90465-4aaa-44f6-8f5f-44f49a3f0fae} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" utility8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac707ffe-7a24-4f9f-92cc-f4769af28c1a} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5296 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {802a9063-15d8-416d-85e6-345e61e4cdce} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aac083c-6f88-4d68-b8ab-fa07de97b957} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" tab8⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009337001\564258b70a.exe"C:\Users\Admin\AppData\Local\Temp\1009337001\564258b70a.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD52d3ab4d6d42bc7fd0ecc1348d5b9febb
SHA106c9492f8cb681cf992e9f3d72eb0f9739eab276
SHA256b59044e92abab80639db0ac53729589781c73787b0b6d0115e72db89d2fb11ec
SHA512029a49d1636e0037bb4a3714d6c25838403db7104e26e25de66599d3dce2f6c8e86533b4779932b0a103a435c5a5ad2fb7c757827a12ff167e58c045ed0ef01b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
5KB
MD5d540b2f3aa3de8bba8f00782bc58d8c9
SHA1276517002df586b2db4a626f0fa3463e6deaf9bc
SHA256d0278ae84cbfd83cb708e1267f57e41a94537fea05745a36ec8264670b774c36
SHA512b6bb9206b55a1738a6d43083bae3c81059cad556a9c05012957f52501b109d665f33aff1ead91928118e0beb7e0d7cb150fb477760a4346355361b627b74f27f
-
Filesize
19KB
MD5a1d8605d1f46a979a0443d069184f257
SHA16ca1479bba52ce6639ceb7d73f0cd53f8a8b0c1f
SHA2564bc443344050a3de08feeba6b7354817221df729f3826a4cf4c7651ba836d30a
SHA5124c9f644d5713f916cbbd69baff1d8cf71fb45e834d16690144ba10b5af093409f38bc624a3ab7588a9052d6a33f5cf506210ad4807c9644b8a784f1a9c4497d5
-
Filesize
13KB
MD5881b280aaec24336c5835b4451b54c5e
SHA10df299d78d294215d60acabcb887fcad1800fb3a
SHA256c02420e1e1474783e2f67e63dbd741284647530ba5488c3fb0ff2bc86154c80f
SHA512ee2373277a610d1167c7b896e8a0a8eb7d3d96e49f2f689cadb560bd032578f6d42317e440935626055b898416dfb332eeb3a566536aa9667c84ff0398bbe5fe
-
Filesize
9KB
MD54d35297242e4c6839accf919eff05e45
SHA1177ed71d87640085b1612ed46191c5ca769d256b
SHA2566e096d2f871144d502802f4b2f3cbe63531e3cea3eec0393ce2d01ede277e6ae
SHA5123b170abe8acb0ff6dd48e823cbbbdf4c1818e9c1bcd9d0c4c59a2fc885f87a5e461f367c467b8fb460979e5fab1fe3b468400d8320c5dd12d5c9c763043635b1
-
Filesize
1.8MB
MD55bc262146fdc51d7b88dccb812b1f71f
SHA196cc2b3b3b9d05e10ad78eeeef36591a5543dda9
SHA25682335522a0b1b0e33cc7f799c494091163d2e3669644e162e5f821364efa58d6
SHA512ab196309b29d70283842f1c9768889afa31b1ed935e94185c9b09aba6f2c62204e3b39d17672a07d64e70679148d615240a03f4467c2de1c82ede4ce84e64b4f
-
Filesize
900KB
MD52808098c61bf625fd19fc9fce3530f97
SHA144be521dade4a0a921db19c7f6bec143c80249f5
SHA25614f1e861775cd4c142b1a1cd07ceb37d3bbe4328140f9e246aa2255317cb928d
SHA512682a5d77d6e2d61bbf928431fed54b3a26b5208c64d03c320c4f0c1a8a5d8b9606d095374fa3fa9d1e858d16175c08503a0d768cc84053b03b662e66efb9d4af
-
Filesize
2.7MB
MD55f9d4c4a99f6d74e937ae98dc2890b62
SHA1d3c3b0f6ebea0222dcd76022fba9bcb2c56fe05f
SHA256accc07ef9af03a2440333196b11c89d278a143c612b28fcbf70148dbffb255e5
SHA512391a3683d21f6de8bf4d746ee3a06dbba407b4261f5774abe8924096d1fa3fda52795d75a7b4698a683b655c7fc3adeec2c26226a256eda0e919ff644b9d8e14
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5f37acc0a7375dd1129334d08033a18dc
SHA1b75354c00cddd5bd2955b16d0a86434efc36dd49
SHA25609f74df81aaf9d5bd0e7c70cf0b0966e15aa5309d05eb0e2449191a5974d5572
SHA51255964c5adfc1e82ca72504c571c525180de773945eccb42618aa6b5be9756f94eb53353111370d896ae33f5499d73bf42929086d9431af2c9ee4667c3c3ee598
-
Filesize
8KB
MD57cd2a9008df78a47e5165e0e503898d4
SHA18bccf9f8e75969c6048264b027ec586376e39254
SHA256090eda00fa2517c13706340bb01b66922dc5194b641f7e5ee78ecae62774b361
SHA512050adcbcd2f37dda12e72c1301811d14dbd24d45dbca3ff4089a36fbe98b4bf2a2832a1aed241b177063946cd2d3e40c3f8bd9d3e72213f604490d16762ad55f
-
Filesize
15KB
MD5edf5d91f82fd19a1eb2393c456302e80
SHA1e12ea248c7bf58a0c208e14fd3aeff1c469219a2
SHA2562c59e17dcc83a56fc1a9634af8b0f80b8bc5769538388feb579e529bb9f25670
SHA512decc78b4940f6ee72abe69afa3e5a48fd105cddad9f5a6222964df0041c62f705051b8ac76b51aa718b1d5424c8e7d3c6b065067d24f40623ac7c33ca02babf5
-
Filesize
15KB
MD52a613b121540cf9b0da6c63c072b82ed
SHA102a44f462f8eee19a02fac7917b075e60e5aca79
SHA25634f4fdc1753220765490a3190d2b188417a58c302907a158647926e63f3ac02a
SHA512474bdc1aedfedd85793951335f1f4d7b4a4968c57e601e28aa464983fe50c8a6e776ad247f64bd97977ccbcc3f05aa017e9ab5b9700566174962ee67051d3f83
-
Filesize
5KB
MD5023aa5651cdc6ee425876ff29a2b2bb7
SHA1c02b3376436465a27738baaf2c8e5fa3e6b8e308
SHA2569c3c5f3693c34625ed89dec1fcf28f1f4984413c385cf9522402cd34f992dbc4
SHA512b2290ad0be9b5ff0dabcea54178a62a4b87b4d68ac0ae9c1eaa402a442c55f30947c64ab63645c8d9c23467d370ea3bc39604008bda1dc36a7d0379e0f8e5ee1
-
Filesize
6KB
MD523c5e6171fb8e6e0bb35698c3edf322a
SHA15d2e9b03224a87ac7f0aa39a4f804fd019dd572a
SHA25612fce667f398d1205c21bc98d13c7d4d259d7f2e0f7c76bad89c1fe53bd9025b
SHA5126bde7d44509ca262438c3ad08836e8dafef22515f0ccdc4f940ea996f075a58289a89b9e9da9b326b1419bc9c3119f014b5fa1ce8f4b1a01926f3e726b3c33e9
-
Filesize
671B
MD5a432cbe107334167613dc27e2f6a218e
SHA114a4b32e03d9408dbe2e2b6ed38aac62c3cc5c49
SHA256931a6d74269e3f9244503e92a57d3fc21fcf785177826a9e02673e27ac403160
SHA512d2beb773d59d15ccc507de232eaffc1a299454d608c4153fb924113cf0160dddcbaa431667922b49d86eea531bf6a5551b5738f133ebe8cc952b8393d6a5d48b
-
Filesize
25KB
MD58c2d7b2605d9c6189ec3d2293fe77c10
SHA1b316dac1a7e21e1762c19e17185e00de884780e5
SHA256e31e26c2ab97d887522e24f75a28c3b3c832de76e3cd1638eda736b42f90d5f9
SHA512d2240764b4984e1e027c4a108f51dc52b96ba27cc1e0a8fe0e878aa0c7d64d2e1056687cff233ae067238c36520feaa697e4da4acb99c816d3c41e5514706d2e
-
Filesize
982B
MD5d0bcb05273640dd87abc8d7dd8043fad
SHA108bd554098eb9fa6fb164b90952b03a647d9293b
SHA25666ba93914f7be6151bb0c7a771deb35d65eeb185c15bfbce3de9172e9e241961
SHA512b706993fcda0d181f7031122d24d5ea49782a010318aee949ea301fdcbbc1269850dd4979ed46dfcb7a5d7eb203e64d8e710672245ea27915bf619c175b64a52
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5afb719a43dfdf8d24072082597b302c3
SHA1b1228e2d161d8b24d5eea15db8bae3bb16cac7a5
SHA256ec9926734745997990d14c886895181e62952ad02dc4db0dd4a9b686eeacc060
SHA512a75c2915c9f5df86c876dc115ed9754ec150453aa6d7c5f020d49bbb85f97f232c949ca77686ff213734fa59c562d6cf65a0dbbc8ef59ca48de7a8711f93ecc6
-
Filesize
12KB
MD570b1bd128e64866670ccd25081c235d1
SHA15122b857528306813c870215746365d9ca6a6cb5
SHA256661468dfdaf79354042556a9d6720cad94f6725fa0368bebbe3f520cd975b8c6
SHA512ccad5da13f2170012ac3663d74960d4bc9577983302a0cb67a615f292cc050d8887732cb8763a6543733be7d0145421b8362cef923eedbc1f77a54bc2da55d6e
-
Filesize
15KB
MD5b084d3166b2a7faa6f92b6fe9dc78f51
SHA130e916029aa5fefae211c4425bcac18004667730
SHA2561a229b450f7ba8445b715c861d3cb2921f4e21ac8c6d10c5d053dcc5b80054d3
SHA512b5a0af9ac68313b9f69c5bb02c9b0d5d632127975e9bb07f00bef4c36d8ec5aad0bce2a496212de626110ad687d42f833d2bb5f19360353b6f890db1e473162e
-
Filesize
10KB
MD51776415c575d1f90eb589416c44b90c8
SHA1323a7811cb4719f97694632cbd2dcdd44216e7c7
SHA256edba326a860d083076b286598dcd9ef9180b3b6f6fe2ba625b20bdd58213e26c
SHA512afa6176d6e69c7f6c445d8101641731b79eec94d228c1834582daaeb60c1b2555b63cbfa9e3958b214f5c03c9e662ae2be884f47e46847dbf511f162d0c9bb15
-
Filesize
1.8MB
MD5f411e8ba308fa02cc836127041e8ca0e
SHA127b0a8eef0c494bbe09bd01ff6681fc0af9b54f7
SHA256fe89c8e49d40b87405dccc542dc95138c77da6168955508138876c493abcaa66
SHA5120449ea5f72ceb3109af1ecda33120c28540a5cdc549a219080c5d86dfb813938f10e3cfbd09574b61a6230cb5ce5493b6c829b50b2885eeb7f4b0dfd08837715
-
Filesize
6.6MB
-
Filesize
8KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
972KB
-
Filesize
6.6MB
-
Filesize
92KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB