Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/12/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe
Resource
win7-20240708-en
General
-
Target
b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe
-
Size
1.8MB
-
MD5
a541fa0eaf66c44faab3dbfd8229bb17
-
SHA1
dd170660003d092e778e448d3f8fb6a6e7840262
-
SHA256
b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a
-
SHA512
c3f27bba03085836dde8f028db873052f61fb53ee74abea0f6a108399d400afddc144053975cde5a402f45d3a0d293dd9ec53b8994b7a97626b5cf8cd9c2a879
-
SSDEEP
49152:UTB6KzbULmqL+SfMMq7DQN9GwPasbxUrxdC51Me/:UTcBKOJPhbSy51Mq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 847aff0524.exe -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF e0ea6c0ac2.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c1b0c42c5a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e0ea6c0ac2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07c1ec5ad7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e85b1c7e73.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 847aff0524.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07c1ec5ad7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e85b1c7e73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c1b0c42c5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e0ea6c0ac2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e85b1c7e73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 847aff0524.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e0ea6c0ac2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07c1ec5ad7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 847aff0524.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c1b0c42c5a.exe -
Executes dropped EXE 8 IoCs
pid Process 2580 skotes.exe 1956 c1b0c42c5a.exe 2376 PhafoQj.exe 4964 e0ea6c0ac2.exe 6200 07c1ec5ad7.exe 6752 e85b1c7e73.exe 7272 8f2ba77aac.exe 8196 847aff0524.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine c1b0c42c5a.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine e0ea6c0ac2.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 07c1ec5ad7.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine e85b1c7e73.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 847aff0524.exe -
Loads dropped DLL 13 IoCs
pid Process 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 2580 skotes.exe 1956 c1b0c42c5a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 847aff0524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 847aff0524.exe -
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PhafoQj.exe Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\07c1ec5ad7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011139001\\07c1ec5ad7.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\e85b1c7e73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011140001\\e85b1c7e73.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\8f2ba77aac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011141001\\8f2ba77aac.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\847aff0524.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011142001\\847aff0524.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019d69-8410.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 2580 skotes.exe 1956 c1b0c42c5a.exe 4964 e0ea6c0ac2.exe 6200 07c1ec5ad7.exe 6752 e85b1c7e73.exe 8196 847aff0524.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07c1ec5ad7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 847aff0524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e85b1c7e73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f2ba77aac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PhafoQj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0ea6c0ac2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1b0c42c5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 8f2ba77aac.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 8f2ba77aac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 7236 taskkill.exe 7164 taskkill.exe 7836 taskkill.exe 7912 taskkill.exe 7988 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 07c1ec5ad7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 07c1ec5ad7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 07c1ec5ad7.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 2580 skotes.exe 1956 c1b0c42c5a.exe 4964 e0ea6c0ac2.exe 4964 e0ea6c0ac2.exe 4964 e0ea6c0ac2.exe 4964 e0ea6c0ac2.exe 4964 e0ea6c0ac2.exe 4964 e0ea6c0ac2.exe 6200 07c1ec5ad7.exe 6752 e85b1c7e73.exe 7272 8f2ba77aac.exe 8196 847aff0524.exe 7272 8f2ba77aac.exe 8196 847aff0524.exe 8196 847aff0524.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2376 PhafoQj.exe Token: SeDebugPrivilege 2376 PhafoQj.exe Token: SeDebugPrivilege 7236 taskkill.exe Token: SeDebugPrivilege 7164 taskkill.exe Token: SeDebugPrivilege 7836 taskkill.exe Token: SeDebugPrivilege 7912 taskkill.exe Token: SeDebugPrivilege 7988 taskkill.exe Token: SeDebugPrivilege 8196 847aff0524.exe Token: SeDebugPrivilege 8076 firefox.exe Token: SeDebugPrivilege 8076 firefox.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 8076 firefox.exe 8076 firefox.exe 7272 8f2ba77aac.exe 8076 firefox.exe 8076 firefox.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 7272 8f2ba77aac.exe 8076 firefox.exe 8076 firefox.exe 7272 8f2ba77aac.exe 8076 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2580 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 30 PID 1900 wrote to memory of 2580 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 30 PID 1900 wrote to memory of 2580 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 30 PID 1900 wrote to memory of 2580 1900 b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe 30 PID 2580 wrote to memory of 1956 2580 skotes.exe 32 PID 2580 wrote to memory of 1956 2580 skotes.exe 32 PID 2580 wrote to memory of 1956 2580 skotes.exe 32 PID 2580 wrote to memory of 1956 2580 skotes.exe 32 PID 2580 wrote to memory of 2376 2580 skotes.exe 33 PID 2580 wrote to memory of 2376 2580 skotes.exe 33 PID 2580 wrote to memory of 2376 2580 skotes.exe 33 PID 2580 wrote to memory of 2376 2580 skotes.exe 33 PID 2580 wrote to memory of 4964 2580 skotes.exe 35 PID 2580 wrote to memory of 4964 2580 skotes.exe 35 PID 2580 wrote to memory of 4964 2580 skotes.exe 35 PID 2580 wrote to memory of 4964 2580 skotes.exe 35 PID 2580 wrote to memory of 6200 2580 skotes.exe 36 PID 2580 wrote to memory of 6200 2580 skotes.exe 36 PID 2580 wrote to memory of 6200 2580 skotes.exe 36 PID 2580 wrote to memory of 6200 2580 skotes.exe 36 PID 2580 wrote to memory of 6752 2580 skotes.exe 38 PID 2580 wrote to memory of 6752 2580 skotes.exe 38 PID 2580 wrote to memory of 6752 2580 skotes.exe 38 PID 2580 wrote to memory of 6752 2580 skotes.exe 38 PID 2580 wrote to memory of 7272 2580 skotes.exe 39 PID 2580 wrote to memory of 7272 2580 skotes.exe 39 PID 2580 wrote to memory of 7272 2580 skotes.exe 39 PID 2580 wrote to memory of 7272 2580 skotes.exe 39 PID 7272 wrote to memory of 7236 7272 8f2ba77aac.exe 40 PID 7272 wrote to memory of 7236 7272 8f2ba77aac.exe 40 PID 7272 wrote to memory of 7236 7272 8f2ba77aac.exe 40 PID 7272 wrote to memory of 7236 7272 8f2ba77aac.exe 40 PID 7272 wrote to memory of 7164 7272 8f2ba77aac.exe 42 PID 7272 wrote to memory of 7164 7272 8f2ba77aac.exe 42 PID 7272 wrote to memory of 7164 7272 8f2ba77aac.exe 42 PID 7272 wrote to memory of 7164 7272 8f2ba77aac.exe 42 PID 7272 wrote to memory of 7836 7272 8f2ba77aac.exe 44 PID 7272 wrote to memory of 7836 7272 8f2ba77aac.exe 44 PID 7272 wrote to memory of 7836 7272 8f2ba77aac.exe 44 PID 7272 wrote to memory of 7836 7272 8f2ba77aac.exe 44 PID 7272 wrote to memory of 7912 7272 8f2ba77aac.exe 46 PID 7272 wrote to memory of 7912 7272 8f2ba77aac.exe 46 PID 7272 wrote to memory of 7912 7272 8f2ba77aac.exe 46 PID 7272 wrote to memory of 7912 7272 8f2ba77aac.exe 46 PID 7272 wrote to memory of 7988 7272 8f2ba77aac.exe 48 PID 7272 wrote to memory of 7988 7272 8f2ba77aac.exe 48 PID 7272 wrote to memory of 7988 7272 8f2ba77aac.exe 48 PID 7272 wrote to memory of 7988 7272 8f2ba77aac.exe 48 PID 7272 wrote to memory of 8060 7272 8f2ba77aac.exe 50 PID 7272 wrote to memory of 8060 7272 8f2ba77aac.exe 50 PID 7272 wrote to memory of 8060 7272 8f2ba77aac.exe 50 PID 7272 wrote to memory of 8060 7272 8f2ba77aac.exe 50 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 PID 8060 wrote to memory of 8076 8060 firefox.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PhafoQj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe"C:\Users\Admin\AppData\Local\Temp\b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\1011136001\c1b0c42c5a.exe"C:\Users\Admin\AppData\Local\Temp\1011136001\c1b0c42c5a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\1011137001\PhafoQj.exe"C:\Users\Admin\AppData\Local\Temp\1011137001\PhafoQj.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\1011138001\e0ea6c0ac2.exe"C:\Users\Admin\AppData\Local\Temp\1011138001\e0ea6c0ac2.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\1011139001\07c1ec5ad7.exe"C:\Users\Admin\AppData\Local\Temp\1011139001\07c1ec5ad7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:6200
-
-
C:\Users\Admin\AppData\Local\Temp\1011140001\e85b1c7e73.exe"C:\Users\Admin\AppData\Local\Temp\1011140001\e85b1c7e73.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6752
-
-
C:\Users\Admin\AppData\Local\Temp\1011141001\8f2ba77aac.exe"C:\Users\Admin\AppData\Local\Temp\1011141001\8f2ba77aac.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:7272 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7236
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7164
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7912
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:8060 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8076 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.0.235010622\335628007" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77aa012e-a44c-45ec-8cb3-3e3f249ccade} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 1340 106efe58 gpu6⤵PID:8652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.1.1813598021\717790846" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {555633f2-abe6-4a45-a164-74167b695f1e} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 1520 f4ebb58 socket6⤵PID:8764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.2.1729192208\431178706" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 740 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ddc755-aaff-407a-ac6e-176a7b508726} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 2124 1a4d8658 tab6⤵PID:9064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.3.780209466\1966987807" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 740 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81978bf6-bd05-4abb-a6e3-15cdf89b9c02} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 2952 f64258 tab6⤵PID:9668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.4.172124579\1989341326" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 3572 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 740 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c850b1c5-49db-4996-95ae-9586940aa2a7} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 3616 1f1bf558 tab6⤵PID:7860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.5.424033047\1232419130" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3748 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 740 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a662bbde-018a-49ee-bec7-df0ae0018d9a} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 3600 1f1bce58 tab6⤵PID:7996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8076.6.1473882775\1692602045" -childID 5 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 740 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {868b2472-a826-4dd5-86ba-1eca18627cec} 8076 "\\.\pipe\gecko-crash-server-pipe.8076" 3804 1f1be658 tab6⤵PID:8584
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011142001\847aff0524.exe"C:\Users\Admin\AppData\Local\Temp\1011142001\847aff0524.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8196
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD5fdba55c68d5ab45e34af6a20b0ff2e37
SHA13de5b73187987f974bbaada915e726a12fe5da9e
SHA25603e2b28e4b5f3dbff16c5421c31dca31af20acda9583e6c1c38886c01d8c3d41
SHA51219e16822a6471cc09c9ae6bec656a7f70624b1faa0ab94bd92fbad36d6ac46ca25ea8de2df950e88a9b073a84ba4690b2379e4fc04812b76ae2252db2d0bfa52
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
1.9MB
MD5870c92cf89253baeaf80574aaad15adc
SHA1feefb55fa434ceb4aa10997bedfccd5597852078
SHA25665238eee07b00d608d030a601ebe0878656466084e1f55e9e41258bec1370b59
SHA512fe1cf7efa897c4c4fada01ba67ef38e7491d96870ab32354b0acbf2bb0cfa32faf914d05037d6e813fcc9b1241466acdaa178adeacc2451ea371f1189e7923c6
-
Filesize
1.4MB
MD503757138d540ad9e87a345bf3b63aebf
SHA183a0b3ce46a7178456763e5356bf4940efa41cd1
SHA256659ef7c3fd01df95231975c36e8e45444f6329da33a70e58690f2ee75c7a722f
SHA5120f08c40ff45829c608a42a6d0d12c1b2a726d315c28f0b4330320a7585506474f72eca550a90b042eece41911174859e95d4b5056c77999a1acf14d43e5279ca
-
Filesize
4.2MB
MD5bd6d6662b11f947d8480c6e9815c3ef3
SHA1b5ecc2be2f54b7849b8c948bbd91cef25028ce41
SHA2567191093754402a6cc5ee460bafef859de07ac2bbf91ce56c6b56a91d3020c2e2
SHA512242a995d3c3a123401d7776b1b5b373d7d117566a897e3e8ed2fe07faaff3dfda01daca76cc60012a6480412f6118b5185926677bb61678bdb3cca336a36e8fa
-
Filesize
1.8MB
MD52426e5ac8ee0bbb03e63d7467cba1df2
SHA16cfd84d6f98b4a9d1b9d5bd724ec59cd4e8533c3
SHA2564b6f652aa6df9d8078f869655c18ac854262d94c3b3a547488a2ece1b184a7b5
SHA5125697de737cf9ee10433c57a1f0d214b0d8344ad33306b243624542ead2375e6c3a4ca5a8d4e3b806cb5bbad17b1612881b1f1064d03b18da01c5f96c57e9751c
-
Filesize
1.7MB
MD566bcb6e17b5fb8da5c8791b5fd6cadec
SHA1a7ef8cd29018bce43618425c1f211ab4d7d3c88e
SHA256cc9109ffeede3b8f3117ccb1bae82347c4506e08e2a06c3bffd15608dad16cfd
SHA51276708812f23247c7ab921adb69f1fe3c79e3bef5f2fd374021ab120644a7c4e9768b202c3283edcfb9b7b42647e86f880021eb340594b0cbc0b07938408a8aed
-
Filesize
947KB
MD54932e7c10bb027cec9de8696ecf6901d
SHA1aef2197b802633e3453dd7c221bbd889b99a5b90
SHA2566bbbe9d1fa289f9bcdfa962f16c09f8035064becce76871a60c9db490bc6df9c
SHA5129253a415c4f826b09ab01f2afb7f0b2c35534aa093209e72223ab23392822b50d3edc1949c66d1f39aa59198e9275a1b7729df6a9fb39008e9bb28c6f245c8b3
-
Filesize
2.7MB
MD53834ead0f530e99a0d9810e6866e893a
SHA1a051a6bc8dcd18dcc71af7861c8031f0bfade6c1
SHA256c7c57fb214ae177ef2cf143775c2131cbdcd8965bf55540a3422ebd03494d436
SHA512e2e0b2907f28016ec5a22976dd211a73d0ee9aeee1859740e31ca073a17a79f4624415a216939f80b4746e731b98c1066c5e854307950d8c73c4dfc67854b24c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5000415c13f7e5abe696fb4a188b7291e
SHA1db26d94019b664f6407dc9da87e2e9d81e34d846
SHA256040b519124ce52d7707c7bbe0681006cbcd810e50d26e079ff8f335eb0b66db5
SHA512a2803e179c9fe96e893483cb6d275a8b754f1e0e4c4ff236ac5513043f75372175569de4ffdeeffae13667765cbab5b558e6b0723bd4fcf733b78faa086d61d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\b81df1d9-91ab-4698-ab4e-1cfda5a8a658
Filesize733B
MD507f7a626f27ef9b56cb206a98ae99181
SHA11ab83cd3115845b56b716d21530e15a4a4b7cbed
SHA2568332122ed71a8001eadefa1f300d5483fbc462c2936308dd67653cd56997057a
SHA5126fdb330b9d3e4cfcd7cd18b2f4446f7e7238bb3db232e772196a635be88d37e327339dea6bf62e498cc3b19c449fa413dc6a1d3701de7bc9bf5c037213531645
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5a47419c3f0b5a23f6c0d1bb7c36b4393
SHA1bebeac1c63834777d01dc3d215f8616d8ed7e7b4
SHA2563b22f539f8a681bca6627fcdb67a0c34ce11443c6e9f3303f4a4063ea2794932
SHA512db530ba4c189213e80d3cbce66aecbd79c918eddcc7545690096410e88476ac1fd650a61e187b9c2578dcd8e25c57da60cb5d2979c2a887fe00d47c926eb1247
-
Filesize
7KB
MD52ba4da4d1169fadc798a00fb43d08367
SHA1c0db8c627b595dfda91eda7f5a7306a990de514d
SHA2568e544a6aa82fd58fda4ec4852dea7613882109db8b0324c1d51a7db672cd32e1
SHA51268b2a56d5e2fbda8040f202d1c3cbd67a9a046df57848b71fd8e87d6039324fa1f0dcb41635361535bf586af585346fdfaad3abac865d10a9ab6b5415b29d091
-
Filesize
7KB
MD57d8556463d3a17372421cd2312f1510a
SHA123e919f9469bfc64c3b0dc99e74f077bdf4365d2
SHA256a8a8f8929d0808508770bd0d1f6a65307a1375f07103a33712ef20506deaa87f
SHA5122c4bf7bb99fc1e2723020be1d918d0ab1f2502b7240420b1e7ac75d8ddb896ef364591c385aefa0fc0f99b7724e10c7dd4ab6e7cae85bc29612d01a27aaea999
-
Filesize
6KB
MD5fed469ed89ecf5ce5899617993b5a955
SHA182d3d7822ed2a048e85575cadaabe37eddcc2899
SHA2569f8988b6ed636a5c1d75bffc58b0742be77dd9c167566885ee0636302a65d8c3
SHA512db5495480b72fa1bf94e7a196cc6d3edd7187b749483f7e95d75d93f94a75facc572c52361df88a63f1b34aaeb78f914123230b067f9689c6e39e76ee6908563
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5af35de214decc065aedefa887d8ad8d0
SHA1a7c466132f092a3204072d61ffc6153e1d8f1a4a
SHA2569815d2193c5b4f147ea97c351b49be56b29901fec5497226dca8faa30164dca3
SHA512ea4e4ac52cd6a077dca8451248c17c7cf8e213bb687713ad980eaf34b9e89ca6165e80188165860ba50db6593fb2337821214a759736f18ba4ad67329f1f0e29
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
1.8MB
MD5a541fa0eaf66c44faab3dbfd8229bb17
SHA1dd170660003d092e778e448d3f8fb6a6e7840262
SHA256b66b9bbe43d16ba2ae2275aaad148809d9c5bce9726ac3f4b57333d355f9a85a
SHA512c3f27bba03085836dde8f028db873052f61fb53ee74abea0f6a108399d400afddc144053975cde5a402f45d3a0d293dd9ec53b8994b7a97626b5cf8cd9c2a879