Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240729-en
General
-
Target
file.exe
-
Size
3.0MB
-
MD5
f918560684328ef2afdfdc8a1b30e9eb
-
SHA1
6ec9093af9bf97eb48a7be519c806540f3f9d6e9
-
SHA256
2d4170efe9401501e4ae84ffb262414c39f92c311054424e324bc872081227fd
-
SHA512
2861e45a5bf7d75adc0c698b3d3df81332dafe792cf2c1112daf789cb8b929e008b85dc7163bd643d1f64764d1d6c073f50345ad263013baa825146002b578b0
-
SSDEEP
49152:Xi/iI+N5lBQ59wJ7dCb7ZT/0FUQhKaa0FeunNTDNuKl:Xi/olq59U7dCb7ZT/0/FeuN4K
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 335da8aa55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 335da8aa55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 335da8aa55.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 335da8aa55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 335da8aa55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 335da8aa55.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1f591fb796.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 335da8aa55.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b509cd02c2.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 335da8aa55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1f591fb796.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f591fb796.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 335da8aa55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b509cd02c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b509cd02c2.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 4200 skotes.exe 4876 b509cd02c2.exe 1448 1f591fb796.exe 2180 5e48254b1e.exe 1344 335da8aa55.exe 4572 skotes.exe 4960 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine b509cd02c2.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1f591fb796.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 335da8aa55.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 335da8aa55.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 335da8aa55.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b509cd02c2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013156001\\b509cd02c2.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1f591fb796.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013157001\\1f591fb796.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e48254b1e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013158001\\5e48254b1e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\335da8aa55.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013159001\\335da8aa55.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0010000000023bab-68.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1128 file.exe 4200 skotes.exe 4876 b509cd02c2.exe 1448 1f591fb796.exe 1344 335da8aa55.exe 4572 skotes.exe 4960 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1580 4876 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 5e48254b1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b509cd02c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e48254b1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 5e48254b1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 335da8aa55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f591fb796.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4392 taskkill.exe 4644 taskkill.exe 4216 taskkill.exe 5116 taskkill.exe 4908 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1128 file.exe 1128 file.exe 4200 skotes.exe 4200 skotes.exe 4876 b509cd02c2.exe 4876 b509cd02c2.exe 1448 1f591fb796.exe 1448 1f591fb796.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 1344 335da8aa55.exe 1344 335da8aa55.exe 1344 335da8aa55.exe 1344 335da8aa55.exe 1344 335da8aa55.exe 4572 skotes.exe 4572 skotes.exe 4960 skotes.exe 4960 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4908 taskkill.exe Token: SeDebugPrivilege 4392 taskkill.exe Token: SeDebugPrivilege 4644 taskkill.exe Token: SeDebugPrivilege 4216 taskkill.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 3628 firefox.exe Token: SeDebugPrivilege 3628 firefox.exe Token: SeDebugPrivilege 1344 335da8aa55.exe Token: SeDebugPrivilege 3628 firefox.exe Token: SeDebugPrivilege 3628 firefox.exe Token: SeDebugPrivilege 3628 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1128 file.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 3628 firefox.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe 2180 5e48254b1e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3628 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 4200 1128 file.exe 82 PID 1128 wrote to memory of 4200 1128 file.exe 82 PID 1128 wrote to memory of 4200 1128 file.exe 82 PID 4200 wrote to memory of 4876 4200 skotes.exe 87 PID 4200 wrote to memory of 4876 4200 skotes.exe 87 PID 4200 wrote to memory of 4876 4200 skotes.exe 87 PID 4200 wrote to memory of 1448 4200 skotes.exe 92 PID 4200 wrote to memory of 1448 4200 skotes.exe 92 PID 4200 wrote to memory of 1448 4200 skotes.exe 92 PID 4200 wrote to memory of 2180 4200 skotes.exe 95 PID 4200 wrote to memory of 2180 4200 skotes.exe 95 PID 4200 wrote to memory of 2180 4200 skotes.exe 95 PID 2180 wrote to memory of 4908 2180 5e48254b1e.exe 96 PID 2180 wrote to memory of 4908 2180 5e48254b1e.exe 96 PID 2180 wrote to memory of 4908 2180 5e48254b1e.exe 96 PID 2180 wrote to memory of 4392 2180 5e48254b1e.exe 98 PID 2180 wrote to memory of 4392 2180 5e48254b1e.exe 98 PID 2180 wrote to memory of 4392 2180 5e48254b1e.exe 98 PID 2180 wrote to memory of 4644 2180 5e48254b1e.exe 100 PID 2180 wrote to memory of 4644 2180 5e48254b1e.exe 100 PID 2180 wrote to memory of 4644 2180 5e48254b1e.exe 100 PID 2180 wrote to memory of 4216 2180 5e48254b1e.exe 102 PID 2180 wrote to memory of 4216 2180 5e48254b1e.exe 102 PID 2180 wrote to memory of 4216 2180 5e48254b1e.exe 102 PID 2180 wrote to memory of 5116 2180 5e48254b1e.exe 104 PID 2180 wrote to memory of 5116 2180 5e48254b1e.exe 104 PID 2180 wrote to memory of 5116 2180 5e48254b1e.exe 104 PID 2180 wrote to memory of 3012 2180 5e48254b1e.exe 106 PID 2180 wrote to memory of 3012 2180 5e48254b1e.exe 106 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3012 wrote to memory of 3628 3012 firefox.exe 107 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 PID 3628 wrote to memory of 224 3628 firefox.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\1013156001\b509cd02c2.exe"C:\Users\Admin\AppData\Local\Temp\1013156001\b509cd02c2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 14804⤵
- Program crash
PID:1580
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013157001\1f591fb796.exe"C:\Users\Admin\AppData\Local\Temp\1013157001\1f591fb796.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\1013158001\5e48254b1e.exe"C:\Users\Admin\AppData\Local\Temp\1013158001\5e48254b1e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d74367-9bc0-4818-a12e-b97e2e38aa76} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" gpu6⤵PID:224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce7d64c5-83ba-4a7a-86e1-7d1f65a910a8} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" socket6⤵PID:4008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3352 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2976 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce0385e-3fd6-4f2b-aaa6-025e072355b7} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab6⤵PID:4356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfedb674-aaf8-4c45-942d-6e7dc2ac83c2} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab6⤵PID:2940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee451c55-77c8-4c72-bba9-4dc0fa9398cc} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" utility6⤵
- Checks processor information in registry
PID:5196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5160 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d1e5a41-db0c-445c-95ba-bca24697e7d4} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab6⤵PID:6112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c6daba-a7d9-44c9-bd2c-8610e41fc5ec} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab6⤵PID:6136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abe2e1ee-3a67-483d-9f04-38bf3f79c3de} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab6⤵PID:2648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013159001\335da8aa55.exe"C:\Users\Admin\AppData\Local\Temp\1013159001\335da8aa55.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4876 -ip 48761⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD56a8b7cd4d76aa4c53ce7163fa0d67322
SHA10df48ee4f9d87d4ee9e3f8d406be5617cf742412
SHA256fac20302a2ffd54f86ec2cbd13250968988a7c589ddf0edecec831106781bf15
SHA5121ace18f9ce180eb46e441166f69a9d0d7a4b4b08de0065edc3898963816c1b56b118ad7dc95d03aa6220a7f65b234b9951cef8dfb758999370d34845cf97a7f9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD59586dbc763ce168d13e7ab775dec4969
SHA1956646e796f72f7f597c0c5270306525ac32254e
SHA256ece826ad7d7f609ecc397099bda054fbbe166c3db468dc845ac210913ee6a1be
SHA512caf0aabef527c32a6f83ba80b3ee1f953ef3f3616bfa69e1fe9b87faafb4ecf54e0af7efa9cc2eb72f35ffa80262aab282cda6a468e4b67e5a268ff541dddc92
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD55f72235805250396cf882628caa405a7
SHA1d244741a58e7064c4b889d62e9bfc5041cff71cc
SHA25693ea63a9575ce609e58934d997b0acbceabc9267d8999fc784ea4bca19f09d57
SHA512dee028759cecdf7a6903ee4c87bbf5570adf6aac5d5df93face1872fea40becbd5cb8dd58231a080472f96809d35d97896f0d90923454eff9b3ebc7d5050478d
-
Filesize
1.8MB
MD5877b6b8ab582a5213d3241c6da70d697
SHA1d48d31bd73cdd1f1adfb866d9b4f8c97927fe8bb
SHA256e7cb0fdecf83c232b549c0263413f274d4b637e0658dc780aed1d32ff3821c5d
SHA5123b361e2c1a5b3a7c0856893ce6b608b9794122122ad788ea2ab4bfeaf11cba004df222a3249b2a7c79ccd60f60517c18e2aaf19b061507e31e3c10290dd10bce
-
Filesize
947KB
MD5cca277c8382b64dd43815051fa4975a6
SHA136116004a96c80dd28e662f07c4df95a623c92fa
SHA25601b59f87eb525c08aa9d829889ffd3f37b36d867dbb94856ae44fae43e24a159
SHA51255561e15685ab8a9c5c8b1b159fad826816f9ca2e4416f66f42373af414dd8ab0d1746ec7615f29e99e958fcc7e88a037e28b707f0f70f5660404193780d1bea
-
Filesize
2.7MB
MD5a52a2c89cff6be3d1d22a0e67663af9d
SHA1318ccb2277cc0155ecd6638f30c4ac9f3f0cf296
SHA256b9151e19f4a1d222b4771f7838d9713a1601a180ea3a4e08f720e38341a64d29
SHA51219d2425bb2b8cc45ef02e293916ec85620273a3c2080660e782230005d5e7417c93b706e02d4b3d68736a175aca6f64253f8deb60db82226a3956948873a011f
-
Filesize
3.0MB
MD5f918560684328ef2afdfdc8a1b30e9eb
SHA16ec9093af9bf97eb48a7be519c806540f3f9d6e9
SHA2562d4170efe9401501e4ae84ffb262414c39f92c311054424e324bc872081227fd
SHA5122861e45a5bf7d75adc0c698b3d3df81332dafe792cf2c1112daf789cb8b929e008b85dc7163bd643d1f64764d1d6c073f50345ad263013baa825146002b578b0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize8KB
MD52e34a3cff797a900fc0009311e85d8b4
SHA105d72cf7a537aa51043ae283c8ace8f9d0c0ffdd
SHA2569da1d32d828307ef05be027492137c0709c0ae69670f1be984d2cf95d7a60a70
SHA512920d8461abaf966a408e12f46a659fcdf88503e70213eaed7195b9663d7e729a170fc04b248c92f2b43f9ec6ba1e9b568837676ee9df866e72e86a6f8902cc21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize18KB
MD5344b537bb6b046cfac36eff19840ceab
SHA165fd49d443ceb22afbed1e8a9b8802a393a6b279
SHA2566766b014aac210da83fa6845c0aa79318e729a665b7107b7c70e75ea8f9f79c6
SHA512dc366bda25a6d73dd2262a215b47dc48857d7c89444ed3177799199c8234fcbf7d68436b6cdf8718aa5842fd8a450000f4023962f6db134f1b307d1661fafe51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c570aa68c74cf98ecb2fa45601beaea8
SHA15301a21e35c3dfabf24496880d48913ec055ddd7
SHA256bb88e3097e2065bf1e9fa84cf5b9b3dfa441032e3ddb35348ad67e85f44a6571
SHA5122b141d3c781657a964752f7c135a6bea8f4bed7ba1a6ea55855b27164e31b6542898bf10b40aaa8aaa8e1169506ac25709aa5d10eb6a7256f152bd2d2c006a70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58c8376a8f719e4f3b8b8671b0bc541a0
SHA195bf25b73103c6bd787c0f82b263bda0f75d32b5
SHA256b42b9061a14cd712fa91f397091d4537e608ce8bf23bde61ce47f0d72bb5e790
SHA512cf2caadd0f5b49ae8be03ee3e2328cc4fac010a6a35ac9473e5be19f4a2a675824b987ea12ad6f6d56c39d5cf510cbfe29fecc94feb4ab3e308991003dc48780
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5f282dd09259126b8378429d5ce7998fb
SHA1c80872f9281c7fca016e163b9cfcf9da8702c0a7
SHA25697c688e98480b1b7c1273f264ba73193a49d94f0a66cad3dcc12575d373027c4
SHA5123c94e9becfea4cda8938ddf802fd4329518dcb9691b9ee5c9dbb13f4511602472aa7661a3230cc3139fab3c6e73fb0b7b51f7089c7a8dc3913f62d78982a564b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\4892f635-b78c-4866-b9fc-5620d3a26300
Filesize982B
MD56af67900e75e92fd101aaf9c6efab80d
SHA1c0ca05b9c1df6e4a0c0d13ca012c264a8af8d12d
SHA2566f444d30dce512fe4e7c1cad0cc0b0574c8442538235631a7e318d30384f9b51
SHA512009300b51956e1facf7e95071f0becc348a23180e19c191305c0ffe81254b5b9bf60d577ea67f464a7acf4c77d68c3f9b8d6e29a7690745d58e57a0b0db0bb5d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\687bf3fd-6e58-44e6-b6bf-d8eef34b3c9b
Filesize27KB
MD5f2a1d6ba3400f8048de23b6f749ef486
SHA1d8d42378c6bab22a855960ffa1d32a41786227d3
SHA2563550aeb9b313b5ae73c9016c4b1dc9340c6e9376962a9288187e31fe87a46d44
SHA5126cdf40da1d96358253311f27c7c93351daa67ea3730842fc32dfaf45eb6790fa5f723dbcdc5c3cf45376040daf2deaa10c85450d2729ac8cb6c766a72bc179df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\bde53ea9-6dd6-4a58-bd9a-1178405d6496
Filesize671B
MD5c823fe1efa80c66dfe5daeac76bf6041
SHA1f4a8c83becc1ba2e4a971f924d89cda1122919a4
SHA25658f8c76d1027b4c22b87739e7e2c0532c12c69baaa84eed3bc4d46dcf9008d88
SHA51255e561ffba509652c67e72a7a40c2196924cc57f44465e1453aa4805e661703f7713ea3e6ba6feb54b1bf7b73af51d6815c326337f64038ae6523d0c2b04d587
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD567d4e0a8dbcbacb9a6f82867537c5ab7
SHA123a2af6584243c1ca2549a83cf993e9cd28124ac
SHA2564bd413443df6fc6d6ca56458f40d17b0e33d608c37892ffc9a47f663ebe8e10d
SHA512e60c7b9ea14cc822b607a9201ce3a0c9a32fc075b0cce6f8448160f5ffacad12f22efee5633baa459269dc10bd424155aadd0201daa8f6f8aea40124f1b20058
-
Filesize
15KB
MD5de2cfb63c585d83020e330d4fce971f7
SHA138a008675981ba985923f078fe3153a50d78e996
SHA256f63b3ae2ebbcd924cd53fdef10d3767fab0f1117a1368fa5970fb9d8ae43778e
SHA5122613ad5a18f1142a9da917189e833baad5e2b1ac3ec7bb5d2ebf9cbf08489b3f1e0e71207f79bd0255f4581dee1badeda9ef01c68d6a56bf39abe9a6dfcebf6b
-
Filesize
10KB
MD564efd0e0cc464c794a01547fab2ea472
SHA12b63682f29c5f59e223e8a42437600ba47a13714
SHA25603f7b5b23cd9d22e88967329d420776394950604d2001f1b96207dbd7c159006
SHA512c84e71b16f07061234b161d7ac8b6e0dd909a0e4813b8019b02565efdddbd47c8911d48feb6a46a5d9623fa2b823c6c8f3abfc8044bd92399925b2a9b8257a49