amadey | 536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
Size

3.0MB
MD5

520ee940832d8a70cef812a75401009c
SHA1

83d76e5b100e044be166e1be2b30bf5f1eaf2332
SHA256

536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb
SHA512

5b6e1e9495849c12e6e268c17347e4b3ce15c9b684e0697c524e5dbb7d8d0f9c5e14bdc2945e1c90949272893b911cef913becad4855fb58516784fd5b0d7217
SSDEEP

49152:2IX4k+/kZFoejWG7pFo4jjBuqNFrzrLujVUeTWDqHFC:2l1oFojG7pFo4jtuokSeqD

Score

10^/10

amadey lumma stealc 9c9aa5 stok discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://atten-supporse.biz/api

https://covery-mover.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	345825b52f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8091369cd6.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	345825b52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	345825b52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8091369cd6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8091369cd6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe

Executes dropped EXE 4 IoCs

pid	Process
2764	skotes.exe
2196	345825b52f.exe
2588	8091369cd6.exe
2176	06f22f0dce.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	345825b52f.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	8091369cd6.exe

Loads dropped DLL 6 IoCs

pid	Process
1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
2764	skotes.exe
2764	skotes.exe
2764	skotes.exe
2764	skotes.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\345825b52f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013887001\\345825b52f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\8091369cd6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013888001\\8091369cd6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\06f22f0dce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013889001\\06f22f0dce.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001961f-85.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
2764	skotes.exe
2196	345825b52f.exe
2588	8091369cd6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	06f22f0dce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06f22f0dce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	06f22f0dce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	345825b52f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8091369cd6.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1896	taskkill.exe
2576	taskkill.exe
2084	taskkill.exe
3032	taskkill.exe
2728	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
2764	skotes.exe
2196	345825b52f.exe
2588	8091369cd6.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2660	firefox.exe
Token: SeDebugPrivilege	2660	firefox.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe
2176	06f22f0dce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2764	1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe	30
PID 1356 wrote to memory of 2764	1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe	30
PID 1356 wrote to memory of 2764	1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe	30
PID 1356 wrote to memory of 2764	1356	536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe	30
PID 2764 wrote to memory of 2196	2764	skotes.exe	33
PID 2764 wrote to memory of 2196	2764	skotes.exe	33
PID 2764 wrote to memory of 2196	2764	skotes.exe	33
PID 2764 wrote to memory of 2196	2764	skotes.exe	33
PID 2764 wrote to memory of 2588	2764	skotes.exe	34
PID 2764 wrote to memory of 2588	2764	skotes.exe	34
PID 2764 wrote to memory of 2588	2764	skotes.exe	34
PID 2764 wrote to memory of 2588	2764	skotes.exe	34
PID 2764 wrote to memory of 2176	2764	skotes.exe	35
PID 2764 wrote to memory of 2176	2764	skotes.exe	35
PID 2764 wrote to memory of 2176	2764	skotes.exe	35
PID 2764 wrote to memory of 2176	2764	skotes.exe	35
PID 2176 wrote to memory of 1896	2176	06f22f0dce.exe	36
PID 2176 wrote to memory of 1896	2176	06f22f0dce.exe	36
PID 2176 wrote to memory of 1896	2176	06f22f0dce.exe	36
PID 2176 wrote to memory of 1896	2176	06f22f0dce.exe	36
PID 2176 wrote to memory of 2576	2176	06f22f0dce.exe	39
PID 2176 wrote to memory of 2576	2176	06f22f0dce.exe	39
PID 2176 wrote to memory of 2576	2176	06f22f0dce.exe	39
PID 2176 wrote to memory of 2576	2176	06f22f0dce.exe	39
PID 2176 wrote to memory of 2084	2176	06f22f0dce.exe	41
PID 2176 wrote to memory of 2084	2176	06f22f0dce.exe	41
PID 2176 wrote to memory of 2084	2176	06f22f0dce.exe	41
PID 2176 wrote to memory of 2084	2176	06f22f0dce.exe	41
PID 2176 wrote to memory of 3032	2176	06f22f0dce.exe	43
PID 2176 wrote to memory of 3032	2176	06f22f0dce.exe	43
PID 2176 wrote to memory of 3032	2176	06f22f0dce.exe	43
PID 2176 wrote to memory of 3032	2176	06f22f0dce.exe	43
PID 2176 wrote to memory of 2728	2176	06f22f0dce.exe	45
PID 2176 wrote to memory of 2728	2176	06f22f0dce.exe	45
PID 2176 wrote to memory of 2728	2176	06f22f0dce.exe	45
PID 2176 wrote to memory of 2728	2176	06f22f0dce.exe	45
PID 2176 wrote to memory of 600	2176	06f22f0dce.exe	47
PID 2176 wrote to memory of 600	2176	06f22f0dce.exe	47
PID 2176 wrote to memory of 600	2176	06f22f0dce.exe	47
PID 2176 wrote to memory of 600	2176	06f22f0dce.exe	47
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 600 wrote to memory of 2660	600	firefox.exe	48
PID 2660 wrote to memory of 2920	2660	firefox.exe	49
PID 2660 wrote to memory of 2920	2660	firefox.exe	49
PID 2660 wrote to memory of 2920	2660	firefox.exe	49
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50
PID 2660 wrote to memory of 1360	2660	firefox.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe
"C:\Users\Admin\AppData\Local\Temp\536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\1013887001\345825b52f.exe
    "C:\Users\Admin\AppData\Local\Temp\1013887001\345825b52f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\1013888001\8091369cd6.exe
    "C:\Users\Admin\AppData\Local\Temp\1013888001\8091369cd6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\1013889001\06f22f0dce.exe
    "C:\Users\Admin\AppData\Local\Temp\1013889001\06f22f0dce.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.0.823670722\42995137" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8960f17-45f8-4e25-b7fa-a8168db84e2d} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 1280 11fbf858 gpu
        6⤵
        
        PID:2920
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.1.509253436\1573325694" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca64632-fa1d-457a-a163-5fc39b524a5a} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 1484 e74e58 socket
        6⤵
        
        PID:1360
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.2.990698970\221726637" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6028a54-11f1-471b-be59-374d21f1b073} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 2116 1a8d1158 tab
        6⤵
        
        PID:1944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.3.12661495\526195709" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ca5b459-788d-4489-b968-c2d68661e1d3} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 2952 1b671358 tab
        6⤵
        
        PID:716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.4.985684624\2122189607" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 1108 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e81bc62e-29fc-4d31-9031-dd1e7b48f5c9} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 3728 1d88ce58 tab
        6⤵
        
        PID:1548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.5.1611834717\1115412585" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3840 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e1649ac-2eb7-4cb5-a216-f4d9a24313d6} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 3824 1efa3858 tab
        6⤵
        
        PID:2180
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.6.933895200\596289912" -childID 5 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3f4f847-99fb-46f7-b12b-3a8baed35850} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 3988 1efa4a58 tab
        6⤵
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
31KB

MD5
d08f64a2e98a6518b9e27afd1ef0b585

SHA1
31d85bff040dd96920854f54b5e51d2df036efb2

SHA256
91d1ef028dde3836451f66f9b1edca1bfe41017baa4a79456995c37849d5a1ce

SHA512
0be61de5b260e2a54d31d0540fb1028ae6ef88fc33d19557210891dabee7db67b892d26030683282d6db5ef11a89efb6822248b4cfdeb46043fe3c7d7daf650d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

Filesize
13KB

MD5
ccb70503d3118dc7f4c78bee99e77fb5

SHA1
f8cde5f496e4d987a3e46451375e3f269504f8e0

SHA256
a0c4596788ab3cb76c6f671fcf41078832408bb4cf53dea50a7b587ad3597608

SHA512
77c6ca4ccad545b183e68d0d5c4ac71ce089ee82103800072f69ac2efc52b701240957de327c8e3a28dda0ff362f6e4c06a655da2944fc5052a28d0a21c5296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013887001\345825b52f.exe

Filesize
1.8MB

MD5
8acdb762884b5b158baa97ef82092801

SHA1
5f0e9409918f923e51e7c5443bd595fa3191aa37

SHA256
cebd39057210ff489a2ce3bec47d182efdb42d1a44c6be80919bb7f15a653d8c

SHA512
81a49ca000c783a3c1f86d23ad2d8572f0598a40cbf5feca9e467ca5d544c753a773f8ce481dcab0147711e5eeab743c86db1545a52d7ded51eff82f2690e736

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013888001\8091369cd6.exe

Filesize
1.8MB

MD5
37b82918f398b44c105c640bfd4b4ae8

SHA1
7d3deaf1a4edda230934ef983cc9463bd71e5ac4

SHA256
6383cde311a862695e4beb993b5a2942001d55cac0b5ee80ca604ebde00956b7

SHA512
6fc57c3c156ca660fc5d5b7ac82f74c8ce10e5d73d60c83d7e41b98ddce9232c5c9e1f38dceafbdbdb34a4f11c311be43606fe2b4370272056eaa568081adb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013889001\06f22f0dce.exe

Filesize
946KB

MD5
fc26bdbe9ddeeed584ca0edf20262ab8

SHA1
c8a690c697b674e7cd5b8bcebab365d743fd474b

SHA256
7bc7da7d6376541a7b3579417c4d163d849387a7b6b5439b0c920a5cc2a26b79

SHA512
ad7dfcd10809cf214d9c34ac8014425ff1b8d5075584d13ebe390c32df1635dc1b5505e1d056d6109d8eae7f9365bed4e1b27820239a2c0d58c859ce65c1a560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
05336555c0f250133a6d4bc887c3b16c

SHA1
3a7bb181e475cdf12846a2b59e431c757fe8bc03

SHA256
38e0be8887b39867dc4c538b43a6c5936d0320a0890093846d44668701583f98

SHA512
e255d8cea00baf92b9a0881c844b0a6498b021fc0ef76ac1acc00c9e17dc43520c654b955f9044519b248ec910067d41004eba242c6cb63a266e017c6d346a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\2dd8d909-8fc9-46e4-9bc0-35305a54a008

Filesize
733B

MD5
e5f0fb023596172a7f6a73233756ac7f

SHA1
7e3996b4449ae9f69c78d230aba6f9e599bf6077

SHA256
a1caf1dea0b6ccff5e0073f655d31e794b7b04c993c990ffac8c0d80309d8f3b

SHA512
d119054d4dc8460fcc4af9fda011a32e35846378fc532c40ebc4b361ede519d00d31fe3c61acf138f1756de2146f52aeeb3266039ecd201bf69ddd4494a55060

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
6KB

MD5
5d5a903dad699abbf5bffdb2b19f18d8

SHA1
90caf42319a93a0a6c255d6a5c8d7f6ac3e81cc6

SHA256
83d8842cbce809b7847ed9b132783741a1b4a5cc2ba139729d047566d40c8dac

SHA512
22f3ca8fdadb47f399e19b5230a8c5d490c0ae471e3d500bdf36fc50547af7a1e01cf48209491c89f89ef3546a13134ea171fc7288591d33bea420f30ba090bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
7KB

MD5
f18202f0f4b3c99b2b0c39f619965afa

SHA1
a02ac0ac33315c5f9ce29e0309f62765b182237d

SHA256
d2ae3b419a04901443874d44bf3dc638f8514194cc95c78f02372d448611e81c

SHA512
cf07930db2cadc01aa3fb952e5b46b4ae9aade9fb2c66ca268823795b7dc1c52e6013e9e0b50083dd0fb086714f27f4db75b299edf0e1ee5de9fd533e4725f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
933B

MD5
8580ac7d80c8bb4d9fbe164bb93e2471

SHA1
6a7d7104712425aac61285ff5461c8454fb91fe7

SHA256
85fe9e964f1adde7902174a962c6a5a1bb7bde763453182616fb3d01bd00fd52

SHA512
013187ccb7424aeaf1d5c81df90318e6a2d6f73106216eea32baf08e916d5b326a9120d61b08655a5cd622a31f0c5c092e22e61bb2019c31bfc57dd0b40e392a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
506542f6981b45531951b8ca390fa625

SHA1
9ecea1062235dcd2e0b812f52898cbf4ae2c157a

SHA256
19eeb61440d44c89bce0f6c0bf68cb5be27000b11e824a3dfaa33d4dd13b0eac

SHA512
b4efdbe2a8551758b9edad06735e6987889fdba56bbb08d0e09e6dc82599b93e7bb34e652adaf1e268fbfd6a10e54ad2adcd49dff7da3a857035f30424ccc73f

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.0MB

MD5
520ee940832d8a70cef812a75401009c

SHA1
83d76e5b100e044be166e1be2b30bf5f1eaf2332

SHA256
536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb

SHA512
5b6e1e9495849c12e6e268c17347e4b3ce15c9b684e0697c524e5dbb7d8d0f9c5e14bdc2945e1c90949272893b911cef913becad4855fb58516784fd5b0d7217

Download Submit
memory/1356-18-0x00000000012B0000-0x00000000015C0000-memory.dmp

Filesize
3.1MB

Download
memory/1356-0-0x00000000012B0000-0x00000000015C0000-memory.dmp

Filesize
3.1MB

Download
memory/1356-3-0x00000000012B0000-0x00000000015C0000-memory.dmp

Filesize
3.1MB

Download
memory/1356-2-0x00000000012B1000-0x0000000001319000-memory.dmp

Filesize
416KB

Download
memory/1356-1-0x00000000776D0000-0x00000000776D2000-memory.dmp

Filesize
8KB

Download
memory/1356-19-0x00000000012B1000-0x0000000001319000-memory.dmp

Filesize
416KB

Download
memory/1356-5-0x00000000012B0000-0x00000000015C0000-memory.dmp

Filesize
3.1MB

Download
memory/2196-287-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-377-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-198-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-53-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-95-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-211-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-75-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-339-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2196-78-0x00000000000A0000-0x000000000052F000-memory.dmp

Filesize
4.6MB

Download
memory/2588-74-0x0000000000DD0000-0x000000000147D000-memory.dmp

Filesize
6.7MB

Download
memory/2588-77-0x0000000000DD0000-0x000000000147D000-memory.dmp

Filesize
6.7MB

Download
memory/2764-32-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-22-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-79-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-80-0x00000000065B0000-0x0000000006C5D000-memory.dmp

Filesize
6.7MB

Download
memory/2764-71-0x00000000065B0000-0x0000000006C5D000-memory.dmp

Filesize
6.7MB

Download
memory/2764-55-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-105-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-52-0x00000000065B0000-0x0000000006A3F000-memory.dmp

Filesize
4.6MB

Download
memory/2764-37-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-35-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-34-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-212-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-73-0x00000000065B0000-0x0000000006C5D000-memory.dmp

Filesize
6.7MB

Download
memory/2764-33-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-199-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-31-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-29-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-300-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-28-0x0000000000E81000-0x0000000000EE9000-memory.dmp

Filesize
416KB

Download
memory/2764-27-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-26-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-340-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-25-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-23-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/2764-76-0x00000000065B0000-0x0000000006A3F000-memory.dmp

Filesize
4.6MB

Download
memory/2764-21-0x0000000000E81000-0x0000000000EE9000-memory.dmp

Filesize
416KB

Download
memory/2764-20-0x0000000000E80000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download