Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
112cf61b5fdf72b3996262baecbe9fef
-
SHA1
eb1e4b94cc3e8f6dbe425473526154802d126e8e
-
SHA256
23621d59cc4f6e323e95e9f17ad90e380b71964b28f4b669f1038289dc9f2131
-
SHA512
a093ea6ad1134509c1650faa25372f5986751d36aca5fd558a5b5958e29bd449ef78ebdacba399d01ebd22466fff64948a225c8239a795fb3e8893bd3db60b94
-
SSDEEP
49152:kO432MbH0Py+DUQDH2DJTd6P5Po4HxlRrd9MH:kOI2MbH06+Df7uJT6z7
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 266630cf46.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 266630cf46.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 97ef2ac5ee.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e3a3f5ad79.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 97ef2ac5ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 97ef2ac5ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e3a3f5ad79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e3a3f5ad79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 266630cf46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 266630cf46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 2148 skotes.exe 4460 97ef2ac5ee.exe 4976 e3a3f5ad79.exe 4380 b4faf29564.exe 4596 skotes.exe 428 266630cf46.exe 5668 skotes.exe 2032 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 266630cf46.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 97ef2ac5ee.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine e3a3f5ad79.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 266630cf46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 266630cf46.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e3a3f5ad79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004030001\\e3a3f5ad79.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4faf29564.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004031001\\b4faf29564.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\266630cf46.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004032001\\266630cf46.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97ef2ac5ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004029001\\97ef2ac5ee.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c86-69.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 3624 file.exe 2148 skotes.exe 4460 97ef2ac5ee.exe 4976 e3a3f5ad79.exe 4596 skotes.exe 428 266630cf46.exe 5668 skotes.exe 2032 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1348 4460 WerFault.exe 97 2476 4460 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266630cf46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3a3f5ad79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4faf29564.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97ef2ac5ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4328 taskkill.exe 4932 taskkill.exe 3156 taskkill.exe 852 taskkill.exe 4532 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3624 file.exe 3624 file.exe 2148 skotes.exe 2148 skotes.exe 4460 97ef2ac5ee.exe 4460 97ef2ac5ee.exe 4976 e3a3f5ad79.exe 4976 e3a3f5ad79.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4596 skotes.exe 4596 skotes.exe 428 266630cf46.exe 428 266630cf46.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 428 266630cf46.exe 428 266630cf46.exe 428 266630cf46.exe 5668 skotes.exe 5668 skotes.exe 2032 skotes.exe 2032 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4932 taskkill.exe Token: SeDebugPrivilege 3156 taskkill.exe Token: SeDebugPrivilege 852 taskkill.exe Token: SeDebugPrivilege 4532 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 428 266630cf46.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe Token: SeDebugPrivilege 2696 firefox.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 2696 firefox.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe 4380 b4faf29564.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2696 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3624 wrote to memory of 2148 3624 file.exe 89 PID 3624 wrote to memory of 2148 3624 file.exe 89 PID 3624 wrote to memory of 2148 3624 file.exe 89 PID 2148 wrote to memory of 4460 2148 skotes.exe 97 PID 2148 wrote to memory of 4460 2148 skotes.exe 97 PID 2148 wrote to memory of 4460 2148 skotes.exe 97 PID 2148 wrote to memory of 4976 2148 skotes.exe 109 PID 2148 wrote to memory of 4976 2148 skotes.exe 109 PID 2148 wrote to memory of 4976 2148 skotes.exe 109 PID 2148 wrote to memory of 4380 2148 skotes.exe 110 PID 2148 wrote to memory of 4380 2148 skotes.exe 110 PID 2148 wrote to memory of 4380 2148 skotes.exe 110 PID 4380 wrote to memory of 4932 4380 b4faf29564.exe 111 PID 4380 wrote to memory of 4932 4380 b4faf29564.exe 111 PID 4380 wrote to memory of 4932 4380 b4faf29564.exe 111 PID 4380 wrote to memory of 3156 4380 b4faf29564.exe 113 PID 4380 wrote to memory of 3156 4380 b4faf29564.exe 113 PID 4380 wrote to memory of 3156 4380 b4faf29564.exe 113 PID 4380 wrote to memory of 852 4380 b4faf29564.exe 115 PID 4380 wrote to memory of 852 4380 b4faf29564.exe 115 PID 4380 wrote to memory of 852 4380 b4faf29564.exe 115 PID 4380 wrote to memory of 4532 4380 b4faf29564.exe 118 PID 4380 wrote to memory of 4532 4380 b4faf29564.exe 118 PID 4380 wrote to memory of 4532 4380 b4faf29564.exe 118 PID 4380 wrote to memory of 4328 4380 b4faf29564.exe 120 PID 4380 wrote to memory of 4328 4380 b4faf29564.exe 120 PID 4380 wrote to memory of 4328 4380 b4faf29564.exe 120 PID 4380 wrote to memory of 440 4380 b4faf29564.exe 122 PID 4380 wrote to memory of 440 4380 b4faf29564.exe 122 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 440 wrote to memory of 2696 440 firefox.exe 123 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 PID 2696 wrote to memory of 4376 2696 firefox.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\1004029001\97ef2ac5ee.exe"C:\Users\Admin\AppData\Local\Temp\1004029001\97ef2ac5ee.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 14844⤵
- Program crash
PID:2476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 15044⤵
- Program crash
PID:1348
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004030001\e3a3f5ad79.exe"C:\Users\Admin\AppData\Local\Temp\1004030001\e3a3f5ad79.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\1004031001\b4faf29564.exe"C:\Users\Admin\AppData\Local\Temp\1004031001\b4faf29564.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57192c16-f9e8-41b4-b753-dd0c922844e2} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" gpu6⤵PID:4376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e24d0d-531e-48ef-9514-a4af310a1bc5} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" socket6⤵PID:2676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 3008 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7572eb4f-835c-48d2-ab7d-03c0367e0e00} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab6⤵PID:232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3768 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3889ebc0-1c86-4565-abbd-f801843b73dc} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab6⤵PID:4268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d95a802-a77a-4eaa-8497-837c6d74c90c} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" utility6⤵
- Checks processor information in registry
PID:5564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a5f2646-219c-4b87-bf51-4c8ecae601cc} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab6⤵PID:5292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f8f8eb-d822-4906-a461-83b3b2315980} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab6⤵PID:5328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c2e4aa7-dfaa-49b5-96fe-bb13d999cb81} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab6⤵PID:5340
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004032001\266630cf46.exe"C:\Users\Admin\AppData\Local\Temp\1004032001\266630cf46.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4460 -ip 44601⤵PID:2284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4460 -ip 44601⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5668
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD57b0c64fda2a55a2e2e3e89c124f94136
SHA117d80612977caaa6b089916768235a31e5ada4a3
SHA256e6795d8b7d760e3619f1f7138aedbf94038fbdb0c90f893092cfa5cc4c75a74d
SHA5123540174dd6c07f5b5a56f69dd04a26c97559ffe8ec3840fbc5c305fed4e356f3011845dd80140ac2b09f110d2f04b525687da93f755b4e450ae133a1da80d294
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD59e7537aba991ea02dd47068b2a982dc1
SHA1317ab41c554e9620aef45019a19eeb28753e058a
SHA2566e1fb848dffa9a6f8c4146c62c933ec79b5d9d1da13c3a910f3e915749f2dc1f
SHA51280ff7603f6fbc7af10c2de3a434a5f8caed23f0a6f7e97e9b397b12e36ae79e9594307fca987f2079ba6d7bac58dae3dc638f8607a77f8d1cb842033fa5ec80d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5af36bc56b41f215710863156fb46bd36
SHA17ee454628bcb82aecaef40763fbd78ed1ea96aa5
SHA256750b781e2dd1361762614a904e98202cdfdbbf42bc097d4105d708ba34b0a144
SHA5121ae622ee753dba8793b66e012e3164692893252715260623c0ca2632ecf33a7ca3338515751a1388e328943c3187f506e027b87a3ed2372ea3454f7c56532044
-
Filesize
2.8MB
MD5fa9cb3030ba1bc095ac7f84ece81159d
SHA1178a344a4e41bb66d1441bc1a70f6444defe8c3c
SHA2564e456175bc7e71209b47ba72449f2ec31719cbd9e64387b77d0f5d819747b68f
SHA5125dc0888468ee7a4b92205eb2fec33fe39b9913d375ed358fa01e72d2161e4f43783aadcda79ce0eb577a86b2306dbb6c31b541dbd0dbaa4fc069cae439973894
-
Filesize
2.0MB
MD5649b30a03ce978366e6c5189a1f3ce1c
SHA10815ec58e255ac4659fc5cc62438ef009955b6e9
SHA256935236bed1b5f179782f75b32cf4a7e66fafba9b9e3b4be4bacd2f1ad2cef8ad
SHA5127381db1186e171e294e3449f3478b43e2f96706565b4ebfb2e224441259388382d114d225147d44a7fd9036926e54ffdc7d905d163dc06dc4fd8ab98bb1b774b
-
Filesize
898KB
MD58ca4b0a008e0bb5cb6530bfadacc876c
SHA1b2c906d580a640acafe788265afb4ec6c8d50ddf
SHA2564046e003425711a55d624a7a89eccbe7354ae09e580754f3b0444bb822e4964a
SHA5120d77e6ce39a0ba185c64d28c92607ef37fd3842e7fd06b7ff2e7ee29a822eecc09c6f367a918f4ea73a69681394316258cfefe4f03736c8bd5ce86f28a4ef29e
-
Filesize
2.7MB
MD55af3ca07cc3dbc6744663fbf0e653a8d
SHA17e0d1b266e3e1bd2f511d466ca5f00338e9b6332
SHA2565862865799f158dce084650d09013e4070d89fdc3e3c01ddb6e6213124a76ef4
SHA5125af1146bfc9b7f2b8b3cdd37d0b676b22c0ad3c9fb3eb88c9d60350ffebcda18fb1b5ccfae2616d235ff1e09ff5ea5e10c44919e71f84e131d2c2525808a974a
-
Filesize
3.1MB
MD5112cf61b5fdf72b3996262baecbe9fef
SHA1eb1e4b94cc3e8f6dbe425473526154802d126e8e
SHA25623621d59cc4f6e323e95e9f17ad90e380b71964b28f4b669f1038289dc9f2131
SHA512a093ea6ad1134509c1650faa25372f5986751d36aca5fd558a5b5958e29bd449ef78ebdacba399d01ebd22466fff64948a225c8239a795fb3e8893bd3db60b94
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize8KB
MD594363582ca27a39d3f9867942a8dab6d
SHA1eb9b0902fa8972a5567b12c228f78cd51ca607a5
SHA25656fce522702b7e63e0fb86b5d0c634e1e0721208d72bd321c3d0af0970270853
SHA51222bd8cae78dc1a859952e9d85cc36300a359180b8fc106ee11fa44774917d1ad3aef5217321a43d9bc9d6a9354b83a5b0fd77fd2fbaeed11e8e35e4a895cab3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5dc12fbf221e38b4f0f3a35cd5ce7b8c0
SHA188db6686788627f6d313d51f808b1dc925c8f36d
SHA2564efbc2080ccf67cc2337a5d98e5aef77997219c68e37aef35b0fedbed4f6086c
SHA512b50fce90557a590c0ecbf38a0b30d3fe910e2d2ec40a00f5074b88b7e8fa99a9ed8a01c1c1acdb30a39d0dc54c96365f4eacb4c3e08d7e271dcd0595ad0624a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD51f8799b772f250aacc4911a9dc90c75c
SHA148b9025cd5f07ee03da866501884637cd88afca2
SHA256263e628ee5c6a1376f2c5119c709ea02e35d55f1f71e69057d8db3d8c1d11737
SHA512b802345a4e17dd1f6a59195a047a1d4a5737ea2e2c6d651ee363f23b3dab580e250fe6627706b53f2176f199330b8fb572e5eb15987df39b6beb5602455d93f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5f4a51579675606672ad22315e3d99bd4
SHA107fff4e5570d755a3d720ddb9c77dc153fbdd3bf
SHA25635e7fce29edb850a6bcb9652863ad67f9d171cb21a749a764d38dea339057045
SHA512c2568f105d2d27349b84b08123d3dd656f6972225c4464a4da73db744bb371a4c668838d1c2d6290006658092b2663557558798ec5392a7755fe760a71667fc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\3c2615eb-4e94-4978-a283-1edfc35e4a5d
Filesize671B
MD55df9e32bc662299d751cfdfbce2a2d6b
SHA15b053f5ba85bf58866b3115aa8c4c8a16fb0e1b9
SHA256ca336cfcabefd4b6331fcbbdf81e0ee364a08915873ca7fe9855bc9f8cf709bf
SHA512b120678fc4564dffc49f084e6b6eb0e1c71c90de4e960df8dbae44cdfc97260db150da26064ff6a66957d258bf6739132f74435360ad9ea60cdeae25c4afc859
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\459bcfd2-b09c-4d8c-bfca-1725b84ea356
Filesize25KB
MD5dd136e6974686f4cac50a7eb92c888df
SHA130f0d3013d7ffe86948d6181d3a11f312ae6029a
SHA2561d13bb30f72cfd0dd002c4a7714dc7c411ffb9e1d52a9b475f53f1002fac423a
SHA512f5d8f36a651a1a5cae16e7dae6d8d032b80f3b98d3c580f0601248ddb14366ff2309453da31478f7d6f975a0a7f19325a988cfa11f17fea9941de02e1e24d2d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\615c1d7a-239c-4443-aceb-4410e55ef50d
Filesize982B
MD50e380f9bbdfb9f1add0ad1066c6a0381
SHA1087dace32d344e27a8dcceab880a105b78c7d3eb
SHA256f4515a12f704591d0078dda2f8e700d0101e0e4c7ee892c5478ba7e64eb1fb1f
SHA512c06bbdf505e4d302facd15f1c6f94c59c6370cdcb04445a7562e1502e4aba08577af229b6068b92023d12eb6ec1a752473df134a4eb99cb7df7cd0c3acc50bed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD52395bbff1c44a4db8a2ef8081a1aa77f
SHA189badcc2402bfd83b6979c39ff5d2dbeb8b66039
SHA256501c4fcdf09d69a9004f9703597c9573ea0fc528f403bdccfab824c230b62f9d
SHA512f27326b84d4fd90e054b09ad1958bc426d4ba94eba04ada49ae5b2f818f940b9fd6cef93f7cb60fa785f070716e0d82cdeb60d4f93ff84b2a29b7ca01e2a3d28
-
Filesize
15KB
MD545b841cfbe7bbc4cdd6fa45e8cb9672a
SHA105eaaf896e660383f335259911782c3c6e3d49c2
SHA256d17f002dacda3695a04e466204b9c2b4512595d7571055d1f03d3a6c0ad52774
SHA51265d9082a56fd8d8598488f845f36d0bea6e9b7d8305212d6ce689152ff0195a9b450130381fab57b6d2484d921064aa689969ca5baa4e5d3f61d14d113d513ba
-
Filesize
10KB
MD5112aa561cd146780a3a85e1ffe9f774e
SHA104c646adff23ebbc3847b6b054ce930b5f08a579
SHA2567632d50f3f6d43f63d6974686a18fe08fcf2226e5ab77dbf09da58230c4bdc96
SHA5122c24ed4b2a166634b95bbbb7fa964c488a368dcc19bc46d523cbf28955e3af183651cf1659635cb9be1843bfc9c2f32fe06b596ef7b8c4f615f531080c5a873b