amadey | bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Size

1.8MB
MD5

7d73c981878c3890d5b2c4e402bbd8dc
SHA1

f9e3b3d0b36c110fa480f30cc4884afbe647e58a
SHA256

bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2
SHA512

86f215c68b3597a3c35872f6aa9868f49cb2f115639146042d79c67a70722f3c9f2b33a4677dcff2c14ba9d3593f1e1bb872be8f80c1eeeb58df74a1cd93cfd8
SSDEEP

49152:z/hxpLhalOwRidDm8hPNStLljEKVChQ0iQS63a+SD:zXp8lHwDthP+LljTr0iw3O

Score

10^/10

amadey stealc systembc 9c9aa5 reno defense_evasion discovery spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3076 created 3448	3076	nAEqBMS.exe	56

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EWWYY8TF8ERM4HV62IX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oiexwl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	q8viZ0W.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GjZwgbz.exe

Downloads MZ/PE file 8 IoCs

flow	pid	Process
29	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
38	212	skotes.exe
38	212	skotes.exe
38	212	skotes.exe
38	212	skotes.exe
38	212	skotes.exe
38	212	skotes.exe
158	212	skotes.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GjZwgbz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oiexwl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q8viZ0W.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q8viZ0W.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1VB7gm8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oiexwl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EWWYY8TF8ERM4HV62IX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EWWYY8TF8ERM4HV62IX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1VB7gm8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GjZwgbz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 15 IoCs

pid	Process
2176	EWWYY8TF8ERM4HV62IX.exe
3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
212	skotes.exe
2332	7fOMOTQ.exe
3896	1VB7gm8.exe
1884	GjZwgbz.exe
2908	skotes.exe
728	oiexwl.exe
1624	q8viZ0W.exe
1100	L65uNi1.exe
2576	L65uNi1.exe
4792	skotes.exe
3076	nAEqBMS.exe
2496	af53YGc.exe
4716	af53YGc.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	oiexwl.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	EWWYY8TF8ERM4HV62IX.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	7fOMOTQ.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	GjZwgbz.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	q8viZ0W.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	1VB7gm8.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
2176	EWWYY8TF8ERM4HV62IX.exe
3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
212	skotes.exe
2332	7fOMOTQ.exe
3896	1VB7gm8.exe
1884	GjZwgbz.exe
2908	skotes.exe
728	oiexwl.exe
1624	q8viZ0W.exe
4792	skotes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 2576	1100	L65uNi1.exe	109
PID 3076 set thread context of 768	3076	nAEqBMS.exe	123
PID 2496 set thread context of 4716	2496	af53YGc.exe	125

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	GjZwgbz.exe
File created	C:\Windows\Tasks\skotes.job	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4852	1100	WerFault.exe	108
2196	2496	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GjZwgbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nAEqBMS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oiexwl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q8viZ0W.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EWWYY8TF8ERM4HV62IX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
2176	EWWYY8TF8ERM4HV62IX.exe
2176	EWWYY8TF8ERM4HV62IX.exe
3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
212	skotes.exe
212	skotes.exe
2332	7fOMOTQ.exe
2332	7fOMOTQ.exe
2332	7fOMOTQ.exe
2332	7fOMOTQ.exe
2332	7fOMOTQ.exe
2332	7fOMOTQ.exe
3896	1VB7gm8.exe
3896	1VB7gm8.exe
3896	1VB7gm8.exe
3896	1VB7gm8.exe
3896	1VB7gm8.exe
3896	1VB7gm8.exe
1884	GjZwgbz.exe
1884	GjZwgbz.exe
2908	skotes.exe
2908	skotes.exe
728	oiexwl.exe
728	oiexwl.exe
1624	q8viZ0W.exe
1624	q8viZ0W.exe
1624	q8viZ0W.exe
1624	q8viZ0W.exe
1624	q8viZ0W.exe
1624	q8viZ0W.exe
2576	L65uNi1.exe
2576	L65uNi1.exe
2576	L65uNi1.exe
2576	L65uNi1.exe
4792	skotes.exe
4792	skotes.exe
3076	nAEqBMS.exe
3076	nAEqBMS.exe
3076	nAEqBMS.exe
768	MSBuild.exe
768	MSBuild.exe
768	MSBuild.exe
768	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	nAEqBMS.exe
Token: SeDebugPrivilege	3076	nAEqBMS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2176	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	91
PID 4192 wrote to memory of 2176	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	91
PID 4192 wrote to memory of 2176	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	91
PID 4192 wrote to memory of 3408	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	93
PID 4192 wrote to memory of 3408	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	93
PID 4192 wrote to memory of 3408	4192	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	93
PID 3408 wrote to memory of 212	3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe	94
PID 3408 wrote to memory of 212	3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe	94
PID 3408 wrote to memory of 212	3408	WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe	94
PID 212 wrote to memory of 2332	212	skotes.exe	97
PID 212 wrote to memory of 2332	212	skotes.exe	97
PID 212 wrote to memory of 2332	212	skotes.exe	97
PID 212 wrote to memory of 3896	212	skotes.exe	98
PID 212 wrote to memory of 3896	212	skotes.exe	98
PID 212 wrote to memory of 3896	212	skotes.exe	98
PID 212 wrote to memory of 1884	212	skotes.exe	102
PID 212 wrote to memory of 1884	212	skotes.exe	102
PID 212 wrote to memory of 1884	212	skotes.exe	102
PID 212 wrote to memory of 1624	212	skotes.exe	107
PID 212 wrote to memory of 1624	212	skotes.exe	107
PID 212 wrote to memory of 1624	212	skotes.exe	107
PID 212 wrote to memory of 1100	212	skotes.exe	108
PID 212 wrote to memory of 1100	212	skotes.exe	108
PID 212 wrote to memory of 1100	212	skotes.exe	108
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 1100 wrote to memory of 2576	1100	L65uNi1.exe	109
PID 212 wrote to memory of 3076	212	skotes.exe	122
PID 212 wrote to memory of 3076	212	skotes.exe	122
PID 212 wrote to memory of 3076	212	skotes.exe	122
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 3076 wrote to memory of 768	3076	nAEqBMS.exe	123
PID 212 wrote to memory of 2496	212	skotes.exe	124
PID 212 wrote to memory of 2496	212	skotes.exe	124
PID 212 wrote to memory of 2496	212	skotes.exe	124
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125
PID 2496 wrote to memory of 4716	2496	af53YGc.exe	125

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
  "C:\Users\Admin\AppData\Local\Temp\bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\EWWYY8TF8ERM4HV62IX.exe
    "C:\Users\Admin\AppData\Local\Temp\EWWYY8TF8ERM4HV62IX.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe
    "C:\Users\Admin\AppData\Local\Temp\WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\1068334001\7fOMOTQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068334001\7fOMOTQ.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\1068542001\1VB7gm8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068542001\1VB7gm8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\1068561001\GjZwgbz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068561001\GjZwgbz.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\1068567001\q8viZ0W.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068567001\q8viZ0W.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\1068740001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068740001\L65uNi1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\1068740001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068740001\L65uNi1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 824
        6⤵
        Program crash
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\1068766001\nAEqBMS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068766001\nAEqBMS.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\1068808001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068808001\af53YGc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\1068808001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1068808001\af53YGc.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 816
        6⤵
        Program crash
        
        PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:768

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\ProgramData\jiik\oiexwl.exe
C:\ProgramData\jiik\oiexwl.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 1100
1⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2496 -ip 2496
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1068334001\7fOMOTQ.exe

Filesize
1.8MB

MD5
9ac96e9c847e1ae6595d8b30845d12a3

SHA1
954c89dbffd2dd77eff1509886e4624852e094da

SHA256
bf6d2fe4af4a4704cb02b0942d7e6401e114c289998c69a56a51cebdcde87eca

SHA512
66d350d835f5327f8d989aa11eee6b7a191ed05533a044685f4f37edc2d654940515510f16ee418a7e0fa9283aece47203f028df8365397791c468647802cda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068542001\1VB7gm8.exe

Filesize
1.8MB

MD5
36465d1f2d56ae0a5ec876cf59bc7b19

SHA1
30eb8b914f3371d5432b79296112c26d538c455e

SHA256
69c2785558326b01a5150e07c43129e4045ae2df449b7625b75aea94b8206c63

SHA512
af0344bd9a088040167b5e231bf3d894f40a737a7b2630dd2321332cac79331619d7b7eedb3063d26f96380ab39ffea16ec06bb172445e4d108792ca0a7bcb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068561001\GjZwgbz.exe

Filesize
1.7MB

MD5
e2df3d65784e6202d297bec31d1dfaa1

SHA1
a74be156066f49f56bd5835e35210591b7010634

SHA256
c539384c0034cc40b226df8cf1354eb264c0e48e722fdd44205ce6783122dba8

SHA512
3e311421b7bd8db2ed11fa3bd6406d96a6506b96c54dcf8ab0ea5b95d208dbb124e3372a7be39e42f25f2c2cf59a35888d489c2a107377b831c470bde8f35dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068567001\q8viZ0W.exe

Filesize
1.8MB

MD5
31ba89e658d9ad58689a04a275f78c26

SHA1
03c6e64fcbe125c1817447caa8787e095f569f6c

SHA256
d1cd20e918b58bb60a8377f3793123008e95eb7d2727a309bd6ee153316efd94

SHA512
c77e93051da8c7a508b1dac9705577e8a717279fe2176b2900c514b533bd45a3847aafc3cf2961d662f08c5ba0f82e83fb8496114a582bbaed0e115d5b1ea7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068740001\L65uNi1.exe

Filesize
795KB

MD5
56c1170157268e27017cfa8b5ebf500a

SHA1
7194ece41a522c8b6be2869a8a50f152c1da3803

SHA256
5f9b7bf8888cafff923dcad8076bbd104e19bc06680c715331ddb28accdf1d34

SHA512
0004b994a5291527234fff75aaf74a9805ff87ef87ac51681801a1fa7bda2d94e49ea1e88721d1a4bb9a12e96e748f897362656cd4ef46ef0062922037495625

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068766001\nAEqBMS.exe

Filesize
13.6MB

MD5
1f5ebe1464006d73af7cc479c2054cbf

SHA1
07f4e37805d2a0ddc7780e532188a19836deb481

SHA256
e27167add3c8150d629cc1d16471101a1a2b56d208701cfcf1298be6bed3ab14

SHA512
318f349694ba47f52d0fa9fda13f1deacf85af90e1613964d125fe72bea26c98629150a762f23a07e9679e4a038b020f4ca7d9bf54a96b5d404de19c36fbfe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWWYY8TF8ERM4HV62IX.exe

Filesize
1.7MB

MD5
e9b928780742fa22ababf73d7904af16

SHA1
654d936dbea2ec1dcae7b787e9c2226425a42a76

SHA256
655c7915a26a0a33320d7059b06ae220105dfc48c71b85ad0c66497115955ced

SHA512
87443ea4c43dcea2b2df5c795559926f7f19627652f89c7eac7a603c8175c2945af13fefa256c3479444b2f9cc32cff3f3c5793c4a48661e2f2a6cb16635c647

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMU0LZCC6WBQB3QITHG37SV9RMS8Y.exe

Filesize
1.8MB

MD5
fa872640e46a3e408c68fa9f9cecd015

SHA1
b6d2e38792c40fc382d5908f633873078cac6c7a

SHA256
a5276b574366ac82c4c8dc695e22d325343766f98b34a8d4bd67cdf94cabd797

SHA512
d25ed34e8d6c0e7c49f31c4065466436d3cd997f88cc86080bcbe9667456e2c03dfd4f88be419467c038b6802061e3eccc4f15b292cc4b7905af8ac61ffe375e

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
234B

MD5
08b3f12b331e0c772d5d3a7ad0d748e0

SHA1
dec03ce8018bf74a3a439cce94a4c61aee3e8562

SHA256
50bdebcd53d847a80cd513710a8c05ed43b5a7300594643f34087f254c2a42e5

SHA512
ba960603ef3ffd880ecaa1335a7fb9d176faf6b71527b44fa090e3cad7613bb73533f7ec89d470664bc5a8121f847f61a6ca0c7ae3237498460a0103abd9f74a

Download Submit
memory/212-152-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-171-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-158-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-161-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-173-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-75-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-73-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-103-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-38-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-123-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-39-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/212-164-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/728-100-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-170-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-122-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-163-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-151-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-172-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-160-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/728-157-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1100-145-0x00000000007F0000-0x00000000008BE000-memory.dmp

Filesize
824KB

Download
memory/1100-146-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/1624-121-0x00000000009E0000-0x0000000000E8A000-memory.dmp

Filesize
4.7MB

Download
memory/1624-156-0x00000000009E0000-0x0000000000E8A000-memory.dmp

Filesize
4.7MB

Download
memory/1624-154-0x00000000009E0000-0x0000000000E8A000-memory.dmp

Filesize
4.7MB

Download
memory/1624-126-0x00000000009E0000-0x0000000000E8A000-memory.dmp

Filesize
4.7MB

Download
memory/1624-125-0x00000000009E0000-0x0000000000E8A000-memory.dmp

Filesize
4.7MB

Download
memory/1884-124-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-105-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-165-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-104-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-153-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-159-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-91-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-162-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1884-166-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/2176-12-0x0000000000021000-0x0000000000038000-memory.dmp

Filesize
92KB

Download
memory/2176-15-0x0000000000020000-0x00000000006AF000-memory.dmp

Filesize
6.6MB

Download
memory/2176-13-0x0000000000020000-0x00000000006AF000-memory.dmp

Filesize
6.6MB

Download
memory/2176-10-0x0000000000020000-0x00000000006AF000-memory.dmp

Filesize
6.6MB

Download
memory/2332-72-0x0000000000170000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/2332-55-0x0000000000170000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/2576-148-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2576-150-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2908-95-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/2908-96-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/3076-195-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/3076-209-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-1524-0x0000000006890000-0x00000000068E4000-memory.dmp

Filesize
336KB

Download
memory/3076-1521-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/3076-1520-0x0000000005FD0000-0x0000000006052000-memory.dmp

Filesize
520KB

Download
memory/3076-1519-0x0000000005F50000-0x0000000005FD4000-memory.dmp

Filesize
528KB

Download
memory/3076-196-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-197-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-199-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-201-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-205-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-211-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-214-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-215-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-217-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-219-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-207-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3076-192-0x0000000000BD0000-0x0000000000FCC000-memory.dmp

Filesize
4.0MB

Download
memory/3076-193-0x0000000005920000-0x0000000005B80000-memory.dmp

Filesize
2.4MB

Download
memory/3076-194-0x0000000005BF0000-0x0000000005D1A000-memory.dmp

Filesize
1.2MB

Download
memory/3076-203-0x0000000005BF0000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download
memory/3408-22-0x0000000000E21000-0x0000000000E4F000-memory.dmp

Filesize
184KB

Download
memory/3408-23-0x0000000000E20000-0x00000000012D8000-memory.dmp

Filesize
4.7MB

Download
memory/3408-24-0x0000000000E20000-0x00000000012D8000-memory.dmp

Filesize
4.7MB

Download
memory/3408-37-0x0000000000E20000-0x00000000012D8000-memory.dmp

Filesize
4.7MB

Download
memory/3408-20-0x0000000000E20000-0x00000000012D8000-memory.dmp

Filesize
4.7MB

Download
memory/3896-74-0x0000000000CA0000-0x0000000001142000-memory.dmp

Filesize
4.6MB

Download
memory/3896-97-0x0000000000CA0000-0x0000000001142000-memory.dmp

Filesize
4.6MB

Download
memory/3896-71-0x0000000000CA0000-0x0000000001142000-memory.dmp

Filesize
4.6MB

Download
memory/4192-4-0x0000000000C00000-0x00000000010A7000-memory.dmp

Filesize
4.7MB

Download
memory/4192-5-0x0000000000C00000-0x00000000010A7000-memory.dmp

Filesize
4.7MB

Download
memory/4192-3-0x0000000000C00000-0x00000000010A7000-memory.dmp

Filesize
4.7MB

Download
memory/4192-0-0x0000000000C00000-0x00000000010A7000-memory.dmp

Filesize
4.7MB

Download
memory/4192-11-0x0000000000C00000-0x00000000010A7000-memory.dmp

Filesize
4.7MB

Download
memory/4192-2-0x0000000000C01000-0x0000000000C2A000-memory.dmp

Filesize
164KB

Download
memory/4192-1-0x0000000077334000-0x0000000077336000-memory.dmp

Filesize
8KB

Download
memory/4792-168-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download
memory/4792-169-0x0000000000360000-0x0000000000818000-memory.dmp

Filesize
4.7MB

Download