Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 07:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
b733439c4301274dc53cd695ee993ea0
-
SHA1
14aad203f90d43e7778031f13c7211159fb2ea61
-
SHA256
68eb987a62b6945287f28f021980b468df4622115fb643a14b43dd5f87b60b0f
-
SHA512
47fb65bae81a6f63069fde903e3fd11624d7f7e68548ebc8991e7a77bb5d285424b623d8cf9d8a1988f196a7159738b709c507628860e8335633965e63ce75da
-
SSDEEP
49152:2eCJEsf1dvcE7LjiJE1sA7whzCYW9P8Vc81EY7x:2e0f1hcEHjiJE1s26CYIEL7x
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7e26e10f2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7e26e10f2e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7e26e10f2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7e26e10f2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7e26e10f2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7e26e10f2e.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 649b71275c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d5a04cb00c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7e26e10f2e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d5a04cb00c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 649b71275c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 649b71275c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d5a04cb00c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7e26e10f2e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7e26e10f2e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 948 skotes.exe 1536 649b71275c.exe 3244 d5a04cb00c.exe 1932 b254311367.exe 5124 7e26e10f2e.exe 372 skotes.exe 3468 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 649b71275c.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine d5a04cb00c.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 7e26e10f2e.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7e26e10f2e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7e26e10f2e.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\649b71275c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004045001\\649b71275c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5a04cb00c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004046001\\d5a04cb00c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b254311367.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004047001\\b254311367.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e26e10f2e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004048001\\7e26e10f2e.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023cd1-70.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4436 file.exe 948 skotes.exe 1536 649b71275c.exe 3244 d5a04cb00c.exe 5124 7e26e10f2e.exe 372 skotes.exe 3468 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2276 1536 WerFault.exe 95 3736 1536 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e26e10f2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 649b71275c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b254311367.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5a04cb00c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4756 taskkill.exe 1856 taskkill.exe 4404 taskkill.exe 3468 taskkill.exe 4732 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 4436 file.exe 4436 file.exe 948 skotes.exe 948 skotes.exe 1536 649b71275c.exe 1536 649b71275c.exe 3244 d5a04cb00c.exe 3244 d5a04cb00c.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 5124 7e26e10f2e.exe 5124 7e26e10f2e.exe 5124 7e26e10f2e.exe 5124 7e26e10f2e.exe 5124 7e26e10f2e.exe 372 skotes.exe 372 skotes.exe 3468 skotes.exe 3468 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 3468 taskkill.exe Token: SeDebugPrivilege 4732 taskkill.exe Token: SeDebugPrivilege 4972 firefox.exe Token: SeDebugPrivilege 4972 firefox.exe Token: SeDebugPrivilege 5124 7e26e10f2e.exe Token: SeDebugPrivilege 4972 firefox.exe Token: SeDebugPrivilege 4972 firefox.exe Token: SeDebugPrivilege 4972 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4436 file.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 1932 b254311367.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 1932 b254311367.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 4972 firefox.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe 1932 b254311367.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4972 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 948 4436 file.exe 87 PID 4436 wrote to memory of 948 4436 file.exe 87 PID 4436 wrote to memory of 948 4436 file.exe 87 PID 948 wrote to memory of 1536 948 skotes.exe 95 PID 948 wrote to memory of 1536 948 skotes.exe 95 PID 948 wrote to memory of 1536 948 skotes.exe 95 PID 948 wrote to memory of 3244 948 skotes.exe 107 PID 948 wrote to memory of 3244 948 skotes.exe 107 PID 948 wrote to memory of 3244 948 skotes.exe 107 PID 948 wrote to memory of 1932 948 skotes.exe 108 PID 948 wrote to memory of 1932 948 skotes.exe 108 PID 948 wrote to memory of 1932 948 skotes.exe 108 PID 1932 wrote to memory of 4756 1932 b254311367.exe 109 PID 1932 wrote to memory of 4756 1932 b254311367.exe 109 PID 1932 wrote to memory of 4756 1932 b254311367.exe 109 PID 1932 wrote to memory of 1856 1932 b254311367.exe 111 PID 1932 wrote to memory of 1856 1932 b254311367.exe 111 PID 1932 wrote to memory of 1856 1932 b254311367.exe 111 PID 1932 wrote to memory of 4404 1932 b254311367.exe 113 PID 1932 wrote to memory of 4404 1932 b254311367.exe 113 PID 1932 wrote to memory of 4404 1932 b254311367.exe 113 PID 1932 wrote to memory of 3468 1932 b254311367.exe 115 PID 1932 wrote to memory of 3468 1932 b254311367.exe 115 PID 1932 wrote to memory of 3468 1932 b254311367.exe 115 PID 1932 wrote to memory of 4732 1932 b254311367.exe 117 PID 1932 wrote to memory of 4732 1932 b254311367.exe 117 PID 1932 wrote to memory of 4732 1932 b254311367.exe 117 PID 1932 wrote to memory of 212 1932 b254311367.exe 119 PID 1932 wrote to memory of 212 1932 b254311367.exe 119 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 212 wrote to memory of 4972 212 firefox.exe 120 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 PID 4972 wrote to memory of 4868 4972 firefox.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\1004045001\649b71275c.exe"C:\Users\Admin\AppData\Local\Temp\1004045001\649b71275c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 14604⤵
- Program crash
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 15004⤵
- Program crash
PID:3736
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004046001\d5a04cb00c.exe"C:\Users\Admin\AppData\Local\Temp\1004046001\d5a04cb00c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Users\Admin\AppData\Local\Temp\1004047001\b254311367.exe"C:\Users\Admin\AppData\Local\Temp\1004047001\b254311367.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecae7bf4-1daa-4628-81d7-f83bf914c810} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" gpu6⤵PID:4868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4471bb-7648-44c3-b9fb-2adcc30ea3f5} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" socket6⤵PID:4944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 2580 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dd7b353-0fd1-492f-a8cc-c8f4b6c959aa} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab6⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3836 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81aecb5a-3279-4431-8d20-f901518b25db} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab6⤵PID:5048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1232 -prefMapHandle 2604 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa042305-fdc6-4216-8ce4-f92cc6e27dcf} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" utility6⤵
- Checks processor information in registry
PID:5468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5360 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {098f3323-4cf4-4204-91e3-cee833a74b2c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab6⤵PID:1172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5584 -prefMapHandle 5056 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {210723bc-a261-4479-ac01-a90920aed5ac} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab6⤵PID:2704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ce3fc3c-a09b-415c-a2a1-8369e5cf9b7c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" tab6⤵PID:2320
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004048001\7e26e10f2e.exe"C:\Users\Admin\AppData\Local\Temp\1004048001\7e26e10f2e.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5124
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1536 -ip 15361⤵PID:3584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1536 -ip 15361⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:372
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3468
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD570cddd4bea741cad05c5bb6975e58564
SHA16dbaa299953ab9051208ae98817e1edc569ca52b
SHA256ed9bd7804805b88e6f7535694a2bcdced0be984080ec90720bd3cf5fef2198ad
SHA512a98c732d0d826c4579f7706dc41397eb9d1c413b9f8978d9f7b3abb0ca9194b3529b1766c8ea67f7ad688d8c6871f4788b7be54fe5fa14af091b9b7b8c8fccd7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD51d3876ca15e8fc333de52680e66e5195
SHA149d759df99b0dfe88f79f09895e13984a8199847
SHA2568d98d00329af83381a9af395a6d3e3a2650e9c08e2c631c9a9515b5197831c46
SHA512b7f4e2ad7a2cc023d5dcc83a5db2649bac2b82498d57f6972e20392e70973c0f22544c8614b86e6056ca394c6a0a8d827442d9a266c6dfae5cbbe9bf8ebea1e5
-
Filesize
2.8MB
MD583f9eaaa75fb613932c6fc8b47da7be7
SHA13f5964bddfb8375748c15e2772254bdb86e69da6
SHA25626ae8aa3793acdb7574770d65f04a0493237fc6413080939f1206b3b48f811f0
SHA5124c6ca4a3afeceb826feae91fee7c12d5df576b4b457feab3e2088ac2600fa6be3ac059acbfdb5437b57026a0830c85dc3dfb20eebd60c208814fbe625222b26c
-
Filesize
2.1MB
MD5686c6902c3cea93c353dfb5532d73013
SHA1760cd9a27a11acef4b009381206e5788b539d680
SHA256c1bff63e4e1aa1fccb42244c12ef8db8ebc4e0e3a1339f58e3801ee9f8e7ef48
SHA512d7aa28fa9fd142d76e95d386a8c68aff2c258e2063c442308bd53ea38c6956ee988b55e5453f8f08c6be4901ee6943e90bb745ce1ac8a1c5bab2a2462d56f119
-
Filesize
898KB
MD5c43714f29bbcb574b15fe7b617164161
SHA1aada941b103e80b0279ac9f5e3d20671ba56fde9
SHA256a8895ab9503307e0c1077ba93cca756004b888b4e4b5b0b681116c7ca536506a
SHA5124f88b17f49b44914bd9ebc5733cda3d85c4a0f1c893a2bf58a8bb63ede37bb214d7870db20aefed361191bdd110a2d359fec85d0b0d7e97b26220f75db15e125
-
Filesize
2.7MB
MD5dfffcb401a6447d7e14f1c8df6f470d3
SHA182fb35b2a58c262e3315af8ec0fe7467d4654af2
SHA25668e63852516106ca4a7e0edb832c0aba967d74e82da70c37ffd6d595b594a6b3
SHA51279b275de1056183e965e15bfc813a346ceea9fe263c778a0cfaaaaf8dc19f37234271d0bc16918a60b3aac29d18fccacac74bf15064b7b44c6917c0b6fc5e57c
-
Filesize
3.1MB
MD5b733439c4301274dc53cd695ee993ea0
SHA114aad203f90d43e7778031f13c7211159fb2ea61
SHA25668eb987a62b6945287f28f021980b468df4622115fb643a14b43dd5f87b60b0f
SHA51247fb65bae81a6f63069fde903e3fd11624d7f7e68548ebc8991e7a77bb5d285424b623d8cf9d8a1988f196a7159738b709c507628860e8335633965e63ce75da
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin
Filesize10KB
MD58d481799ff8f8fda8e31a7b3200ff0c1
SHA16fae021061bd48c72c1c7529ec4629a8a5bc72db
SHA2561e6b902a3a188fce2bb5fb511f8eee50a44d248e6f294293b5b905b7f25ca494
SHA5126b688df4dbfa65c15d9e1b74613b53ea261ff984786a0f0719d18929757ee6fadee0a3270974b767a7c6c34c69dfa8a41457073548dbe3090df10f4bc8ad7702
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5f1bb975cdc41f508fe10d48378d472c5
SHA19b92c8fe942df59496e8d87f9a809365257212d9
SHA2560206b8cdd4943f90bfe83dc208140b368b70168c78e4346f22adddac2ecf127b
SHA51275a5af83e2255c546760082b873decc4ca5323b020dc01393fd909fa36bedd5b99b322157b6ed96ad1b1242ea9bf55b36f976164cb94d4b1165754f74d611cbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD52365f11cd33da316cb373370fcdfbeac
SHA1a171ec6b1800e379821c94c8e8b2ec06f51d4f99
SHA2567fae8dbb29739565dd765acfe49eb6ae327c936f1df14710d9c083e0c02314c0
SHA5121a3e06c514558b2b4ab463582b7bf71cbbae1dbd514c6391e66a23018737b5849777bb8db2410587de291c25d974cf3589e4881473164493a367d0e74094188c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f4b4a56184b80bb0db4cbf655a5e9956
SHA171fb583d963b7c5f8ea0e74089404b0448a530a1
SHA2561d777f1ff914e4aff40059d4009897bb7ddc747217d22c6b101eebbc2176ce16
SHA5120d58b194cd1dc244749c53ecfa4263efbd5dba8fc6e8982c56cf20acc4794a94a8c0bda35d0124145b346feeae5850e76cc11484c35e2024584220c62c68343c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\7544d590-e729-4bdb-90bd-3f62bf44a31e
Filesize27KB
MD50173a53f7975bcfcca6fbd1dd59f645c
SHA10a2ad01509c5667a893aa0debda1aefbfa148405
SHA2563484f0052f656ed00c44db12e7950cdf03a013175a69d1ac4e7d7c67526290f8
SHA512d2c26e310491d58cee774bf62a919d50b3d7b1a2714ee39f3acdce20b85a7ddec8d10481dcea9287886b65729040510cd8e3c7110d45d6126544e0abf11fe256
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\9dbca6c0-633b-495b-af3f-3a0c9717983a
Filesize671B
MD5baa83e178d0a9d2a9f25eafb73a45a8c
SHA192da5608e0030020719a683cd097ca60b24835e2
SHA2566f72d3c938b4b47ca48b965ba929ce507386531e7dd756434d43c064cf08eb4b
SHA5123efdc0e9d184125086d587d0c9a7b4e4e6aae9879c7a22542a2bd3fc33da71fcd2b0bc64a55bb4646d848b47b9ae9e68bf9a183e95807258ef962e7303ceba97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\e9bc96bb-d52d-4f0f-941a-8c6d9fcd05fa
Filesize982B
MD56be8758ac9db6104256f34b7537d6f4a
SHA1f238ac98283198ce9a4d368b10d84be2d4606045
SHA256a8436a1dc680d568a6cd7fb7584eed7384ad5ec9ab4b6385cff229197a13957f
SHA512e016bef9889e3338cc3b2872389d3ba9096139e74d44674bd8df5afe12e60a3240ed3113ee1c76057d94b2a41ef59950c818f3616690e06271feb97f373d6795
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD58a7f694172640fd2c001e5ca7d78be17
SHA11e03d70357963880d4165e59984f02993d30d827
SHA25661baa5f768b2ae5477d48cd75df515bc48cd6146b821c01db21d0f2e1902d808
SHA5125b570319a5a22880ec40ff773afddeca19a898e1253f7ae875799333256834cf9dac79ddf288f910c586896e50a3bf04eb223fa13fa221644e73b7450a2a9069
-
Filesize
10KB
MD54aa1b34ac4fe797083c07a41ae2a87d2
SHA1566f806c6505b129f5cd19a7058c7a47753f17de
SHA256d8085f9c5ed9cf259c57f9ea9834d642f9a23c43962abc54c17b846f03236338
SHA5124db3af4ce78e15fcd2f9ec0150d505b8e5661323329db9419f1abd2229fc793b6a044c3031adbb7cc8c9cc451aeadb8ca0ecf9a688c6c890b102bb11322f493f
-
Filesize
12KB
MD51e19e05db564397dec1ed485b159585c
SHA11c0292e5542923a24cff3e4205fa13c9df2e16fb
SHA25689a41b5744c53e011a18fc55781baff6781698fd97236a8dc7e60784b8360b7a
SHA512da6c20153527af58eb5019be8cfb24965bf3252fcdfb6b91ebe06ac9a04849473d3342e7a71be25315e8523624065370c6eac7d53e090a4b4f52ec12aae4db43
-
Filesize
11KB
MD54f845c1bfe4ba2c853f20c08020b5b61
SHA1207a2284a11345f35d6601caa5b7314f65b08d1c
SHA256db7e85f5a8188721e0b28bafd099fb65558d48b0d24f578ac5a1c13edd31e599
SHA512ed5bdd606fb463c994bec853612c50942a746f2f7928b53126e797c799ae1ced4aa84e74a8ba209a804879ba502b90fe154a03664cd521bf4398758678e3ec76