Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
Resource
win7-20240903-en
General
-
Target
763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe
-
Size
1.8MB
-
MD5
880d50b201c9a9c42ad4dc0d4eece5a3
-
SHA1
3e71ad87d7184de4b6f1892d06bd74bb89b1f305
-
SHA256
763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096
-
SHA512
16cee76e2cb07814363b5c5e8fdbb27f84654d6ab04fda94c1a57b0ba7ce3f2cc9819276193b39dd19572417d016cdafb54013785558dc69bb28cf2df984a068
-
SSDEEP
24576:AiozOM/ROuY6v535CcLbAjjUFoJ0FQuvvBnRPwroDKSVpvhBgdHSqapQsFSWWNfc:EZROuPvznHAfX06uBRfhhSdIn9+fzwB
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6a696251d1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5c703508dc.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6a696251d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5c703508dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6a696251d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5c703508dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe -
Executes dropped EXE 9 IoCs
pid Process 3160 skotes.exe 3504 i1A5m12.exe 4516 i1A5m12.tmp 4156 rafencoder.exe 2912 wL3EGdM.exe 3136 6a696251d1.exe 3208 skotes.exe 5940 5c703508dc.exe 5568 838e3987ee.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 6a696251d1.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 5c703508dc.exe -
Loads dropped DLL 2 IoCs
pid Process 4516 i1A5m12.tmp 4156 rafencoder.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a696251d1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012543001\\6a696251d1.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c703508dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012544001\\5c703508dc.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c7e-6313.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 3160 skotes.exe 3136 6a696251d1.exe 3208 skotes.exe 5940 5c703508dc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6108 3136 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a696251d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c703508dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wL3EGdM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 838e3987ee.exe -
Kills process with taskkill 6 IoCs
pid Process 5880 taskkill.exe 3648 taskkill.exe 5588 taskkill.exe 5188 taskkill.exe 3440 taskkill.exe 5512 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 3160 skotes.exe 3160 skotes.exe 4516 i1A5m12.tmp 4516 i1A5m12.tmp 3136 6a696251d1.exe 3136 6a696251d1.exe 3208 skotes.exe 3208 skotes.exe 5940 5c703508dc.exe 5940 5c703508dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2912 wL3EGdM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 4516 i1A5m12.tmp -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4620 wrote to memory of 3160 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 83 PID 4620 wrote to memory of 3160 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 83 PID 4620 wrote to memory of 3160 4620 763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe 83 PID 3160 wrote to memory of 3504 3160 skotes.exe 87 PID 3160 wrote to memory of 3504 3160 skotes.exe 87 PID 3160 wrote to memory of 3504 3160 skotes.exe 87 PID 3504 wrote to memory of 4516 3504 i1A5m12.exe 88 PID 3504 wrote to memory of 4516 3504 i1A5m12.exe 88 PID 3504 wrote to memory of 4516 3504 i1A5m12.exe 88 PID 4516 wrote to memory of 4652 4516 i1A5m12.tmp 92 PID 4516 wrote to memory of 4652 4516 i1A5m12.tmp 92 PID 4516 wrote to memory of 4652 4516 i1A5m12.tmp 92 PID 4516 wrote to memory of 4156 4516 i1A5m12.tmp 93 PID 4516 wrote to memory of 4156 4516 i1A5m12.tmp 93 PID 4516 wrote to memory of 4156 4516 i1A5m12.tmp 93 PID 4652 wrote to memory of 3532 4652 net.exe 95 PID 4652 wrote to memory of 3532 4652 net.exe 95 PID 4652 wrote to memory of 3532 4652 net.exe 95 PID 3160 wrote to memory of 2912 3160 skotes.exe 98 PID 3160 wrote to memory of 2912 3160 skotes.exe 98 PID 3160 wrote to memory of 2912 3160 skotes.exe 98 PID 3160 wrote to memory of 3136 3160 skotes.exe 102 PID 3160 wrote to memory of 3136 3160 skotes.exe 102 PID 3160 wrote to memory of 3136 3160 skotes.exe 102 PID 3160 wrote to memory of 5940 3160 skotes.exe 104 PID 3160 wrote to memory of 5940 3160 skotes.exe 104 PID 3160 wrote to memory of 5940 3160 skotes.exe 104 PID 3160 wrote to memory of 5568 3160 skotes.exe 106 PID 3160 wrote to memory of 5568 3160 skotes.exe 106 PID 3160 wrote to memory of 5568 3160 skotes.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe"C:\Users\Admin\AppData\Local\Temp\763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\is-7F9OM.tmp\i1A5m12.tmp"C:\Users\Admin\AppData\Local\Temp\is-7F9OM.tmp\i1A5m12.tmp" /SL5="$701C2,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause raf_encoder_12525⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause raf_encoder_12526⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\1012543001\6a696251d1.exe"C:\Users\Admin\AppData\Local\Temp\1012543001\6a696251d1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 15764⤵
- Program crash
PID:6108
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012544001\5c703508dc.exe"C:\Users\Admin\AppData\Local\Temp\1012544001\5c703508dc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\1012545001\838e3987ee.exe"C:\Users\Admin\AppData\Local\Temp\1012545001\838e3987ee.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:5588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- Kills process with taskkill
PID:5188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- Kills process with taskkill
PID:3440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- Kills process with taskkill
PID:5512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- Kills process with taskkill
PID:5880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:5212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵PID:116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb6f9046-f707-4f35-9247-bfd0b4c948a6} 116 "\\.\pipe\gecko-crash-server-pipe.116" gpu6⤵PID:4052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {483db461-c591-4236-83da-825b2142ee02} 116 "\\.\pipe\gecko-crash-server-pipe.116" socket6⤵PID:6084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00669bb7-31c8-4a6c-a93a-921067632be7} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:5776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d8c2ea-1177-4698-bea2-9dd1a8c8a4df} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:1200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4320 -prefMapHandle 4316 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75b7cda-7027-448a-829f-20fc69ea0907} 116 "\\.\pipe\gecko-crash-server-pipe.116" utility6⤵PID:556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 4972 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebde8dca-8665-416b-a77e-dde8e0b4d4da} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:7036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4988 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9aabff9-5685-417c-82db-c59146f29e74} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:7076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6fb1f7-d949-49ec-bf6d-ee370279d95e} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -parentBuildID 20240401114208 -prefsHandle 2052 -prefMapHandle 3224 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {969b75ef-b636-4b11-8fb7-6b2320d29f62} 116 "\\.\pipe\gecko-crash-server-pipe.116" gpu6⤵PID:5108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -childID 6 -isForBrowser -prefsHandle 2528 -prefMapHandle 3664 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b929e11-83d8-4b68-b283-99e61d895a5b} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab6⤵PID:6272
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:3648
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012546001\41d2c2cd77.exe"C:\Users\Admin\AppData\Local\Temp\1012546001\41d2c2cd77.exe"3⤵PID:5264
-
-
C:\Users\Admin\AppData\Local\Temp\1012547001\46fc8c32f6.exe"C:\Users\Admin\AppData\Local\Temp\1012547001\46fc8c32f6.exe"3⤵PID:5500
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵PID:644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3136 -ip 31361⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3136 -ip 31361⤵PID:5140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
Filesize22KB
MD5676c8391c9c8b4ea01b757c00ef55b51
SHA16b95b3695e33fc076118cec8476a42d7482ff421
SHA2565e5d02ee7634727617219d9126b06578630a09529829256f15e722b90010b9a7
SHA512cde6f295a367faf8b67902365673d6dc3f3f76c10c1bd7b64f43f95c96da7eae827937a0aed9762e4bb8ef107c9275815a12d5dcda6dcab748f7e9929897bd1c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.8MB
MD5b466bf1dc60388a22cb73be01ca6bf57
SHA121eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA5126cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
Filesize
3.4MB
MD53a16d0e4e4522073da3c8a5a9f9e790b
SHA17a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA5121213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a
-
Filesize
3.3MB
MD57823e902900881094372948957825fe1
SHA1297a663f3b64fb9863164d10ac698bef03dd3a0f
SHA25692d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f
SHA51260d4ea35cfec5154cfa3cb767de7c839ca8b3987b27599ea218ec1c47f1d111a59f193cd3cfd1266ae384434ae653f1e0a297f7222a2592e529b2b4404dd6238
-
Filesize
612B
MD5e3eb0a1df437f3f97a64aca5952c8ea0
SHA17dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA25638ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA51243573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf
-
Filesize
1.8MB
MD514553b3e4f83021e14520e0f62f95a24
SHA135f37fc3ed8d53920b96b8485e741097cfcd05ba
SHA256d31671f91056db4b63277269b84841872b047643116fce88f5952393daa22691
SHA5129f1a23fa7632155407bdbe9eb2a21708b241906d817c9eaa8cfef2ca65acf67135d8b8e7249b580f67685ccec9b487b65ff1c48378af6418bc7976393dbfdc90
-
Filesize
4.9MB
MD5ebe3d112a464bca87d0600558998c287
SHA1e24f303f33d3d4bd2afc5bc0392de5f14e4bd72a
SHA25608c78546997ccfbffb833a115f8888ad128e5c4d43bddd9e01e2105132ef0824
SHA512fcfd10bd5c930ec50bfa011752db8a28526994712ecb3b905d2d892099df69dcc90ff881669f5b323b99ae9a19061cb5c8abb86b18fc31012d9b91b653c24bed
-
Filesize
948KB
MD59e7ce696dfdb127b028a0610a441047d
SHA179a7805f957617896fd16ec5d1db102d9809f667
SHA256bcb1df1e3ce692f4e284bf91f1873696933a5f2ffd87ac966b719e492b43d1eb
SHA512b226a736eee638e1ef2dc4dfdb6193b23756b525d665209efc6094ba119ddff3004844b8439034e67d79ded9ddff82369edf6d735f72a0e916763dedfa6d1c0a
-
Filesize
2.6MB
MD510f89bc59dd3ebb89c8437a590abbb97
SHA1cb65670a5597fe2bca2423648b7e8325eedbe112
SHA256252af078fcf7992ce1afa0449ffa8591725bf9c46219b19d85369fdc657c8b00
SHA51260d3cedf0b29d9dfdf0eb030ffa817fb102f72bbe6cc5e105d17cd9ddd355c3e9e4374f10bef70919d033f83b3eb1f311bf868bc922633ba8482a9776c84db5d
-
Filesize
1.9MB
MD589109257f23f068de9f04a3c59df2b15
SHA103ea7063a9d7b54bcdea8f11a990e668d9346121
SHA25674567ee5c75fd4a34c44dc8c75e9f4ea1dcf3c60d6d3fff4e8d8526460e49b10
SHA512b3203b1dbbb28a8f0e69e067c9b48e6a930e05046674f3b7f82a76b4b2ff0f8535150ed46dddbe8421fe4ced283f9edf76e2d15f54c454d43771f4e350655f48
-
Filesize
1.8MB
MD5880d50b201c9a9c42ad4dc0d4eece5a3
SHA13e71ad87d7184de4b6f1892d06bd74bb89b1f305
SHA256763b24905d097aee3844268d4825c726b1218eae5ff7ea971bb1275301811096
SHA51216cee76e2cb07814363b5c5e8fdbb27f84654d6ab04fda94c1a57b0ba7ce3f2cc9819276193b39dd19572417d016cdafb54013785558dc69bb28cf2df984a068
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
689KB
MD5e672d5907f1ce471d9784df64d8a306b
SHA16d094cae150d72b587c5480c15127d7059e16932
SHA2569f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA5129cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize7KB
MD5b330e4dd5867eabd16a9240dcedd65ae
SHA1363f75a8a6031b7c459dae4f73e716ad150873b1
SHA2564f89734bc1c0d4b93026dd72eb5d2e330866be7aef19a85cdae3a11eac1a5ec1
SHA5128e24f9300d5ac76ef40d4bc5f00146f7921d419748648ece4733c52a0502255ab2fdb1696128f887d7bc561d2e25514999dc5f0c4499b11203c207d5ecb00ba4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize8KB
MD50ad3ee7b89af451e3e57d883769cd997
SHA1c03363a80d84f4ccca2e8070fe99d05286868e8c
SHA2563eefe8718e566091b1f7249ab04329d02036f4da7f2d43e46a93ad6d03445204
SHA512c415d967b673b619e5c7983264332fbc17e35091e1d3bd8ec2948bb4dc6199a3c6d1cbb3d83839e9515fed2f409c0e5cbfc914fdfdf341c0fb33b6dd583c5325
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51deaf62b3f7a40915da5adc004ed0d88
SHA13abb19bafc2d259f96284e62102ea6d6645fd839
SHA256a576ee08db4050c823c6f20990b30f914245f00746f8b36cd63ddb6b2bea19eb
SHA512480674b8edf6f6bcec0b1a1bd4d1c6fa05ee9cfb924eb8f67ad9e97938254c186930ee866ba01c4c0278589d7d719414eb774d37f9cfb60fe24904d1984c9b56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d6aee0b71549c7ef99504af75d326fbf
SHA13f595750e1fd087388308d81d518944fc3ae3c59
SHA2560f0407586999d1bc11b1ac6e23b7ee79db29a905441de19c2c594c87d6e6017a
SHA51206e2c57568526449051359c83add23aa5ad4e9c6361847932faf1b1f1d806199f628b41cbe11e2bbf38c197404cd12d7fb0afba5f406db62741522677555e6b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\0fde30ba-0c9f-4bd2-ba6c-230b26790a23
Filesize671B
MD551a1d89624d932d4f2dcdd483b0befa7
SHA1872bbea135886d95f99e35f88e902184725e3222
SHA256c8df677d8030d74b75c7f475df76d666fe244358570320f7762b2cf7100111a8
SHA512c1de65d81fe16763637694a4b7f79e0f6e728d3c50674a457bf405f6793210d99a21f1a322341d2b9a75276635bcfb47e6a0d7564b45aaf07a3f8d4c634383ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\670bee86-4f8c-4bc7-acb2-8b43567937db
Filesize982B
MD5627a4d016389f4e930091b2dd210609d
SHA1db638a584940a02f7a98394b4f4b3ab9c4eefc7a
SHA25646e6f0077eda76d7fcc29a659252ae764ae62d86d8b34364b6872ba3184f0cf4
SHA512fa7da5f001a8c4657a329ec147288de36b8d415fd71bed0431bcba9122fa88dc593748ea841ff3a4e9020b76f330c6b7ce1b67563df84a84030adda04aa12363
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\e4e23e7e-db66-4ad6-b7e9-324dfd6e2cc6
Filesize25KB
MD50aa5516598cf2f921926a234619a2d95
SHA1c28d4289ae4b74ee4094a366fc5a27a827e1f2a2
SHA256e6baec0ac7ef891e95f0e90b1a11ced81365bca39199e404121e27b4e18c29df
SHA5126553cff2cb76445cc77035a8c4360392becddde891ef210a25176ed6170b6380aa7034f5b904aa194ceb00c0303f4280293d2f813dd078bb4f365cd85595f4c1
-
Filesize
10KB
MD5f9af11cb7f5a687f81b5297fc722375b
SHA1115ee24b005601b4e1f110c57593bd4bb96feaaf
SHA256fb0d5efdd182106fbdb4c5da4090edc580d476f1a07e58e4e304b8b8461c9870
SHA512137b4efb928626c31eea777f9da4ff6cbdf9069bed507195777547a13ee768e77b026652f08249e6dc1aef9c77662f37823a8578ab19ffbf0a1d8f2bbc0e6472
-
Filesize
10KB
MD5a4b6c8e652b5d09735907c7ca2d88f74
SHA1065531fe1233d78cd9d62b0fca578b5b3ae5e3e9
SHA25683c71405c685e84e55bd3e5de1b4220c4f9925dd5d51affe9de9c3f0371a637d
SHA51289917d0a4ccf07df514fce34101782433c79dd9995ce3683b4442d42f48c0d9f5cff8043ec1fe422038706e5027529b01387189cf9a91f97d63157fda5f6d8a3