Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 12:28
Static task
static1
Behavioral task
behavioral1
Sample
b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe
Resource
win10v2004-20241007-en
General
-
Target
b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe
-
Size
3.1MB
-
MD5
197f7a10814e446ee3d649f2509b1608
-
SHA1
a459ec5320318e01318105d8e87e707ea480a4c7
-
SHA256
b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce
-
SHA512
b595f5b8de7ecf96cb18f9f1de10bbb4988bb9b6412e1837b49469b78f7f15bbae661b8092b1d46fa6d2bdfeaa5f0e8e0f493c70dbe7d94c66cba325d83e6c85
-
SSDEEP
49152:yZ1m9In5PVRjbnKSoNK1yoJFk/yUXeo7HH4MBQC+kQFw:yZ0In9V1nKR4yiFkqUX0C+9w
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
lumma
https://drive-connect.cyou/api
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4d44f0a5aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4d44f0a5aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4d44f0a5aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 4d44f0a5aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4d44f0a5aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4d44f0a5aa.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 211fdbf7bb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4d44f0a5aa.exe -
Renames multiple (8137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4d44f0a5aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 211fdbf7bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 211fdbf7bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4d44f0a5aa.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smwin.vbs bluemail.exe -
Executes dropped EXE 28 IoCs
pid Process 2660 skotes.exe 2296 LoaderClient.exe 1928 LoaderClient.exe 2172 4ZD5C3i.exe 1456 bluemail.exe 3408 Bxq1jd2.exe 4084 EkmIhQM.exe 2480 yt0wVyV.exe 5688 63f6851e4d.exe 5940 7z.exe 5700 7z.exe 2948 7z.exe 3264 7z.exe 5620 7z.exe 5892 7z.exe 5416 7z.exe 2588 7z.exe 288 in.exe 5528 c3fbc61667.exe 3416 c3fbc61667.exe 5660 f69cc52010.exe 4008 f3W2KH9.exe 5536 f224c8666a.exe 5616 211fdbf7bb.exe 3100 EkmIhQM.exe 4836 4d44f0a5aa.exe 2892 fe2dc9f703.exe 5956 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 211fdbf7bb.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 4d44f0a5aa.exe -
Loads dropped DLL 56 IoCs
pid Process 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 2660 skotes.exe 2296 LoaderClient.exe 1928 LoaderClient.exe 2660 skotes.exe 2660 skotes.exe 1080 Process not Found 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 4968 cmd.exe 5940 7z.exe 4968 cmd.exe 5700 7z.exe 4968 cmd.exe 2948 7z.exe 4968 cmd.exe 3264 7z.exe 4968 cmd.exe 5620 7z.exe 4968 cmd.exe 5892 7z.exe 4968 cmd.exe 5416 7z.exe 4968 cmd.exe 2588 7z.exe 4968 cmd.exe 4968 cmd.exe 2660 skotes.exe 2660 skotes.exe 5528 c3fbc61667.exe 5192 WerFault.exe 5192 WerFault.exe 5192 WerFault.exe 5192 WerFault.exe 5192 WerFault.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2660 skotes.exe 2660 skotes.exe 4084 EkmIhQM.exe 2660 skotes.exe 2660 skotes.exe 2660 skotes.exe 4916 taskeng.exe 4916 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 4d44f0a5aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4d44f0a5aa.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\0BF9D1A041D42963495975\\0BF9D1A041D42963495975.exe" yt0wVyV.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Current = "C:\\Users\\Admin\\AppData\\Roaming\\Current.exe" f3W2KH9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f224c8666a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015181001\\f224c8666a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\211fdbf7bb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015182001\\211fdbf7bb.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\4d44f0a5aa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015183001\\4d44f0a5aa.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 4ZD5C3i.exe File opened (read-only) \??\Z: 4ZD5C3i.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0015000000016d72-20374.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 2660 skotes.exe 5616 211fdbf7bb.exe 4836 4d44f0a5aa.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5528 set thread context of 3416 5528 c3fbc61667.exe 73 PID 4084 set thread context of 3100 4084 EkmIhQM.exe 103 PID 5956 set thread context of 2020 5956 Intel_PTT_EK_Recertification.exe 108 -
resource yara_rule behavioral1/memory/288-18946-0x000000013F8A0000-0x000000013FD30000-memory.dmp upx behavioral1/memory/288-18949-0x000000013F8A0000-0x000000013FD30000-memory.dmp upx behavioral1/memory/5956-20649-0x000000013FD70000-0x0000000140200000-memory.dmp upx behavioral1/memory/5956-20661-0x000000013FD70000-0x0000000140200000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url 4ZD5C3i.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107544.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157177.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\release 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212957.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp 4ZD5C3i.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties 4ZD5C3i.exe File created C:\Program Files\DVD Maker\de-DE\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html 4ZD5C3i.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml 4ZD5C3i.exe File created C:\Program Files\README.TXT 4ZD5C3i.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\README.TXT 4ZD5C3i.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon 4ZD5C3i.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\README.TXT 4ZD5C3i.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5192 1456 WerFault.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bxq1jd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3fbc61667.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3fbc61667.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f69cc52010.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EkmIhQM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe2dc9f703.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ZD5C3i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EkmIhQM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f224c8666a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 211fdbf7bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d44f0a5aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bluemail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63f6851e4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language f224c8666a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage f224c8666a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3348 powershell.exe 5648 PING.EXE 5604 powershell.exe 6000 PING.EXE -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Bxq1jd2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Bxq1jd2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f69cc52010.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f69cc52010.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4864 timeout.exe 3680 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2748 taskkill.exe 2956 taskkill.exe 3160 taskkill.exe 2848 taskkill.exe 2612 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 f69cc52010.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a f69cc52010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Bxq1jd2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Bxq1jd2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Bxq1jd2.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 6000 PING.EXE 5648 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 2660 skotes.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe 2172 4ZD5C3i.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2172 4ZD5C3i.exe Token: SeBackupPrivilege 980 vssvc.exe Token: SeRestorePrivilege 980 vssvc.exe Token: SeAuditPrivilege 980 vssvc.exe Token: SeDebugPrivilege 1456 bluemail.exe Token: SeDebugPrivilege 4084 EkmIhQM.exe Token: SeIncreaseQuotaPrivilege 2480 yt0wVyV.exe Token: SeSecurityPrivilege 2480 yt0wVyV.exe Token: SeTakeOwnershipPrivilege 2480 yt0wVyV.exe Token: SeLoadDriverPrivilege 2480 yt0wVyV.exe Token: SeSystemProfilePrivilege 2480 yt0wVyV.exe Token: SeSystemtimePrivilege 2480 yt0wVyV.exe Token: SeProfSingleProcessPrivilege 2480 yt0wVyV.exe Token: SeIncBasePriorityPrivilege 2480 yt0wVyV.exe Token: SeCreatePagefilePrivilege 2480 yt0wVyV.exe Token: SeBackupPrivilege 2480 yt0wVyV.exe Token: SeRestorePrivilege 2480 yt0wVyV.exe Token: SeShutdownPrivilege 2480 yt0wVyV.exe Token: SeDebugPrivilege 2480 yt0wVyV.exe Token: SeSystemEnvironmentPrivilege 2480 yt0wVyV.exe Token: SeRemoteShutdownPrivilege 2480 yt0wVyV.exe Token: SeUndockPrivilege 2480 yt0wVyV.exe Token: SeManageVolumePrivilege 2480 yt0wVyV.exe Token: 33 2480 yt0wVyV.exe Token: 34 2480 yt0wVyV.exe Token: 35 2480 yt0wVyV.exe Token: SeRestorePrivilege 5940 7z.exe Token: 35 5940 7z.exe Token: SeSecurityPrivilege 5940 7z.exe Token: SeSecurityPrivilege 5940 7z.exe Token: SeRestorePrivilege 5700 7z.exe Token: 35 5700 7z.exe Token: SeSecurityPrivilege 5700 7z.exe Token: SeSecurityPrivilege 5700 7z.exe Token: SeRestorePrivilege 2948 7z.exe Token: 35 2948 7z.exe Token: SeSecurityPrivilege 2948 7z.exe Token: SeSecurityPrivilege 2948 7z.exe Token: SeRestorePrivilege 3264 7z.exe Token: 35 3264 7z.exe Token: SeSecurityPrivilege 3264 7z.exe Token: SeSecurityPrivilege 3264 7z.exe Token: SeRestorePrivilege 5620 7z.exe Token: 35 5620 7z.exe Token: SeSecurityPrivilege 5620 7z.exe Token: SeSecurityPrivilege 5620 7z.exe Token: SeRestorePrivilege 5892 7z.exe Token: 35 5892 7z.exe Token: SeSecurityPrivilege 5892 7z.exe Token: SeSecurityPrivilege 5892 7z.exe Token: SeRestorePrivilege 5416 7z.exe Token: 35 5416 7z.exe Token: SeSecurityPrivilege 5416 7z.exe Token: SeSecurityPrivilege 5416 7z.exe Token: SeRestorePrivilege 2588 7z.exe Token: 35 2588 7z.exe Token: SeSecurityPrivilege 2588 7z.exe Token: SeSecurityPrivilege 2588 7z.exe Token: SeDebugPrivilege 5604 powershell.exe Token: SeDebugPrivilege 1456 bluemail.exe Token: SeDebugPrivilege 4008 f3W2KH9.exe Token: SeDebugPrivilege 4008 f3W2KH9.exe Token: SeDebugPrivilege 2748 taskkill.exe Token: SeDebugPrivilege 2956 taskkill.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 3280 firefox.exe 3280 firefox.exe 3280 firefox.exe 3280 firefox.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 3280 firefox.exe 3280 firefox.exe 3280 firefox.exe 5536 f224c8666a.exe 5536 f224c8666a.exe 5536 f224c8666a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2660 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 28 PID 2080 wrote to memory of 2660 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 28 PID 2080 wrote to memory of 2660 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 28 PID 2080 wrote to memory of 2660 2080 b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe 28 PID 2660 wrote to memory of 2296 2660 skotes.exe 30 PID 2660 wrote to memory of 2296 2660 skotes.exe 30 PID 2660 wrote to memory of 2296 2660 skotes.exe 30 PID 2660 wrote to memory of 2296 2660 skotes.exe 30 PID 2296 wrote to memory of 1928 2296 LoaderClient.exe 31 PID 2296 wrote to memory of 1928 2296 LoaderClient.exe 31 PID 2296 wrote to memory of 1928 2296 LoaderClient.exe 31 PID 2660 wrote to memory of 2172 2660 skotes.exe 32 PID 2660 wrote to memory of 2172 2660 skotes.exe 32 PID 2660 wrote to memory of 2172 2660 skotes.exe 32 PID 2660 wrote to memory of 2172 2660 skotes.exe 32 PID 2660 wrote to memory of 1456 2660 skotes.exe 36 PID 2660 wrote to memory of 1456 2660 skotes.exe 36 PID 2660 wrote to memory of 1456 2660 skotes.exe 36 PID 2660 wrote to memory of 1456 2660 skotes.exe 36 PID 2660 wrote to memory of 3408 2660 skotes.exe 39 PID 2660 wrote to memory of 3408 2660 skotes.exe 39 PID 2660 wrote to memory of 3408 2660 skotes.exe 39 PID 2660 wrote to memory of 3408 2660 skotes.exe 39 PID 2660 wrote to memory of 4084 2660 skotes.exe 40 PID 2660 wrote to memory of 4084 2660 skotes.exe 40 PID 2660 wrote to memory of 4084 2660 skotes.exe 40 PID 2660 wrote to memory of 4084 2660 skotes.exe 40 PID 2660 wrote to memory of 2480 2660 skotes.exe 43 PID 2660 wrote to memory of 2480 2660 skotes.exe 43 PID 2660 wrote to memory of 2480 2660 skotes.exe 43 PID 2660 wrote to memory of 2480 2660 skotes.exe 43 PID 3408 wrote to memory of 5756 3408 Bxq1jd2.exe 45 PID 3408 wrote to memory of 5756 3408 Bxq1jd2.exe 45 PID 3408 wrote to memory of 5756 3408 Bxq1jd2.exe 45 PID 3408 wrote to memory of 5756 3408 Bxq1jd2.exe 45 PID 5756 wrote to memory of 4864 5756 cmd.exe 47 PID 5756 wrote to memory of 4864 5756 cmd.exe 47 PID 5756 wrote to memory of 4864 5756 cmd.exe 47 PID 5756 wrote to memory of 4864 5756 cmd.exe 47 PID 2660 wrote to memory of 5688 2660 skotes.exe 48 PID 2660 wrote to memory of 5688 2660 skotes.exe 48 PID 2660 wrote to memory of 5688 2660 skotes.exe 48 PID 2660 wrote to memory of 5688 2660 skotes.exe 48 PID 5688 wrote to memory of 4968 5688 63f6851e4d.exe 49 PID 5688 wrote to memory of 4968 5688 63f6851e4d.exe 49 PID 5688 wrote to memory of 4968 5688 63f6851e4d.exe 49 PID 5688 wrote to memory of 4968 5688 63f6851e4d.exe 49 PID 4968 wrote to memory of 2020 4968 cmd.exe 51 PID 4968 wrote to memory of 2020 4968 cmd.exe 51 PID 4968 wrote to memory of 2020 4968 cmd.exe 51 PID 4968 wrote to memory of 5940 4968 cmd.exe 52 PID 4968 wrote to memory of 5940 4968 cmd.exe 52 PID 4968 wrote to memory of 5940 4968 cmd.exe 52 PID 4968 wrote to memory of 5700 4968 cmd.exe 53 PID 4968 wrote to memory of 5700 4968 cmd.exe 53 PID 4968 wrote to memory of 5700 4968 cmd.exe 53 PID 4968 wrote to memory of 2948 4968 cmd.exe 54 PID 4968 wrote to memory of 2948 4968 cmd.exe 54 PID 4968 wrote to memory of 2948 4968 cmd.exe 54 PID 4968 wrote to memory of 3264 4968 cmd.exe 55 PID 4968 wrote to memory of 3264 4968 cmd.exe 55 PID 4968 wrote to memory of 3264 4968 cmd.exe 55 PID 4968 wrote to memory of 5620 4968 cmd.exe 56 PID 4968 wrote to memory of 5620 4968 cmd.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3288 attrib.exe 2876 attrib.exe 5560 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe"C:\Users\Admin\AppData\Local\Temp\b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderClient.exe"C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderClient.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderClient.exe"C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderClient.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\1014844001\bluemail.exe"C:\Users\Admin\AppData\Local\Temp\1014844001\bluemail.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 6444⤵
- Loads dropped DLL
- Program crash
PID:5192
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015079001\Bxq1jd2.exe"C:\Users\Admin\AppData\Local\Temp\1015079001\Bxq1jd2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015079001\Bxq1jd2.exe" & rd /s /q "C:\ProgramData\T26XT2VAAAAA" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5756 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015130001\EkmIhQM.exe"C:\Users\Admin\AppData\Local\Temp\1015130001\EkmIhQM.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\1015130001\EkmIhQM.exe"C:\Users\Admin\AppData\Local\Temp\1015130001\EkmIhQM.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3100
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015176001\yt0wVyV.exe"C:\Users\Admin\AppData\Local\Temp\1015176001\yt0wVyV.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\1015177001\63f6851e4d.exe"C:\Users\Admin\AppData\Local\Temp\1015177001\63f6851e4d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5688 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\mode.commode 65,105⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5892
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:288 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:5560
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2876
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:3244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5604 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6000
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015178001\c3fbc61667.exe"C:\Users\Admin\AppData\Local\Temp\1015178001\c3fbc61667.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\1015178001\c3fbc61667.exe"C:\Users\Admin\AppData\Local\Temp\1015178001\c3fbc61667.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015179001\f69cc52010.exe"C:\Users\Admin\AppData\Local\Temp\1015179001\f69cc52010.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:5660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015179001\f69cc52010.exe" & rd /s /q "C:\ProgramData\Q1NGDT0R9H4E" & exit4⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015180001\f3W2KH9.exe"C:\Users\Admin\AppData\Local\Temp\1015180001\f3W2KH9.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4008 -s 6204⤵
- Loads dropped DLL
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015181001\f224c8666a.exe"C:\Users\Admin\AppData\Local\Temp\1015181001\f224c8666a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5536 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:5700
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3280 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.0.434622235\170248950" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92e1dbf8-c4ea-4301-826d-bcf7d0253499} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 1344 11af5058 gpu6⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.1.949795733\103171552" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1508 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {956ad260-3e4f-481b-9aa9-560e12f0dc74} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 1524 101fb258 socket6⤵PID:712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.2.1472618534\216128215" -childID 1 -isForBrowser -prefsHandle 1952 -prefMapHandle 1968 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f58e5f-9096-48a9-902b-99b1cab1be64} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 2036 1a366058 tab6⤵PID:4132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.3.454270031\1069035722" -childID 2 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4099bb41-8044-4e9e-90c4-8188c47b7b54} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 2940 e5ea58 tab6⤵PID:5808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.4.1993763051\374682955" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3424 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b52961f2-3c1f-43eb-b422-f4ca9d5cc6ca} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 3740 1eeab258 tab6⤵PID:5520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.5.1999771502\1681475170" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57600d11-2622-412c-a8a3-35b3ce3e6e7e} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 3828 201a7258 tab6⤵PID:5252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3280.6.1762901906\1582070130" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f07391a5-a2b8-4b38-9b26-683f5a4c351c} 3280 "\\.\pipe\gecko-crash-server-pipe.3280" 4004 201a7e58 tab6⤵PID:4376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015182001\211fdbf7bb.exe"C:\Users\Admin\AppData\Local\Temp\1015182001\211fdbf7bb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5616
-
-
C:\Users\Admin\AppData\Local\Temp\1015183001\4d44f0a5aa.exe"C:\Users\Admin\AppData\Local\Temp\1015183001\4d44f0a5aa.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\1015184001\fe2dc9f703.exe"C:\Users\Admin\AppData\Local\Temp\1015184001\fe2dc9f703.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A759A1E-104A-4AEE-93EE-D257E45E64FC} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:4916 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5956 -
C:\Windows\explorer.exeexplorer.exe3⤵PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
PID:3348 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Discovery
Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533B
MD581d185495b4e6430a87dfd37789bb872
SHA1b5da653f81a548c74205c7ae3d19f30af1a14271
SHA256838d654b9cb0360d8b3bb767db8fc1954fc41ba0a56fc34688aad9b50f5ddb40
SHA5121106c9c2245cbd44effb42e4e1365eb796d3b2390b011fb97205550bf183b097c489194aa001f97f949e9d1ed1c970eea6cbb0477da47511e5bc18e88bf2dfa5
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5618b38847dfbfb9a649c14548de5c0d8
SHA17312b71fd91698a13a370aee44cc6f05c57bb996
SHA2564867319e647778be872d089c4f4a1faee516f805460ce76b50394606afe0f62d
SHA512a4073bca9e837e2709f736b3299e8f96bbb0e2ec4ad45727b83f0ccd49e2572a567745e4784d7fbf8bfeea5481eb365563722538e4700355b9106db235cf8284
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556a8caff8057f88f43dac33230c6ded0
SHA1f2072aba4817a8e49b42eecf99c8e470ee587dec
SHA256651469717cec09040d5b962a693f122bfa6bf0d7c796c87f3a67d8d0a20a7378
SHA512af681156e8db3bdca34e8cd7fb7624a09fab6ea582402e220ca81beb4da51f91c9164ef1bb127f0787f1a549c63c00795e5b8c3f8af85884c7bd3eddaad739ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD508747c9e6f5eb5cfec3efb464a9ab4c1
SHA1d6da95061e0d1d4a1611636ba5cb6e5424d9ec68
SHA256735344adbe5f63d61f1beb135c04d3e2611bcf85794e3a7d95b739320fecdf02
SHA5125c19c13fcee9a9d306492b30a190f77bf4574650ad71adb25779401686be4c2781029d8e7266abeab115e8e7d8a18ebb7c3314608fe3a699cce160be7615d9c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD51bb2187e564013e72441d4bd2b52905a
SHA1e7ac4cf024ca1a3a5466abe0df82030cd36d4b4e
SHA256720ebccdedd3e0022e9359c7f776f49e006d0843cad273e936c84db06d168086
SHA512c314b15719bf7884f8d721a6ed53a86654869c72cd0aac3933a9d06719f9239fe16f7e16800ed3c901b001a5f06b921edb1f67137dc3c1c347feacfa5f7902dd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize27KB
MD5f549e7206f41f5166ce00691dc8ea543
SHA148c2e313306a2be007ee3822254097fb0b2bfbb0
SHA2565a6eae66bdddfee6a07a792990779690ca2b645c34a8ade8b423c5ce0ff7e997
SHA5126292cad82f129d982a4262854e3a8fce725ba397731ef9ead7f82ca151a32a52f1690727fadd7137e75ce639840887523e8785ee15c22070c4b3cb81183a623c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
612B
MD5e3eb0a1df437f3f97a64aca5952c8ea0
SHA17dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA25638ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA51243573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf
-
Filesize
1.1MB
MD542a8588cc82773cd223c42f8fe4be91a
SHA1e2ed3cda00140ecd445f5f742729d34f2c452c8c
SHA256d4521c34f489f4a6065dea15634df9bb700c84741f476bde1084d9cdfb373a7b
SHA512681e4b155ce1015723469bd819618b292844aa00f7dab447d9557e244792efcef5614f753283efe9dd76ea77b838af78a3e69008c380482a4412b1cea75c535d
-
Filesize
1.2MB
MD522a9baec9032c267d9f760853a3fd162
SHA16fdde24f545e1b99250ccb7a49456ef689b7e749
SHA2568966e3c68cc4ad6cddf5479732785de05ad187d939a8ea3ac76ecf6169c1d599
SHA5122df72347ce613f7cdc47fb1bf95b1c169e20bfa3d99df8b88aa90aab0a9d7e2269a1dc4f7456ef3e6a76d58b2548bf396c14f443d7b640a12eeaf3bc1ac99fcc
-
Filesize
313KB
MD5876a365bda09b9ef39605e375d677f0a
SHA12c12b38ed2d84722cf5dcea8bd45cfa7d7b55ba4
SHA256ed252fe89ba1243bad21f373c952b16940a0094149b0be50e5c3da9c20a23234
SHA5122a2df513d61e9b0eeedf099bb6a04962caa5eb31149efc24421bc30236886fc4a60fb7bcabed46069f0a13789ca34d4f21bc02f3c53bd8cf428be399ae63cb7d
-
Filesize
2.1MB
MD5e48d0435a98834793ce9de1bb80fcf9a
SHA1f783ad89853913987852c17e950f9697afbc4ede
SHA256bb6973b370222c70d95255622b354a328809a1116d31c69122b35508e1601831
SHA5127e3018a7f2741cf8adc3491eea00a2c67b25831f51904a956dc63fc8eac2bac876d4015f5aa0ab554bf45c5a2f93adca0d0810aad758e61d072c3e0b038553a2
-
Filesize
302KB
MD5a9502d407c7a3e0c43ad669c27638793
SHA1bf0b7815c6dac82643a5bf7bd397a6aa58a9e803
SHA2565f3cd8392c045a321ccf0ede6f38a4016a236f257d0a6ab897bf7f3e21868135
SHA5120dbe8772ded05ba2c67ea7a7e9bc291b76d8b73dbab86a35fca5b1138be41c2ee7a54333fcd7bf58823ab3b5f1f6250b98b829ca0c367cafb2176350f5454d25
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
3.4MB
MD5c7c0d32aaf36dfb7b97fc873009d8d84
SHA1f294cf8a175f851e0b1ebb8ee08807a98a390887
SHA256f4e87c239d2edcf9bd364c1ba2b2abd78c2bc5f646c3c3ce2512655dfe9100fe
SHA512cb4b6841cf09f00b826e417327a8a2736c201e466839aea0f0131e8678d057d23ceca1a8f2a7fd17f3e5b3ee90a8ec6bc3727d2b490e6791f2b749c182b7fb15
-
Filesize
947KB
MD52647de44736cddce93e420de31e6a92c
SHA117820881a890b3cb89869d71d50ae90cd1f1082b
SHA256a05138272c918e87f7f841919f12fa398079b3147d4d3c8b0d83b9ea87579a05
SHA512a1577a8a18dc10a117bd52aee64800cfd79500e545dbc6c99ab5b068b1a1617e725a05401203d4647e26933d5a7027b19cea07301a4b8f724de09ea98fe4e5c2
-
Filesize
1.7MB
MD5c31fe40f860b41c8cc1762c03c73b877
SHA150b66cdace74107cf7c81f3e44fca9950ef056e6
SHA2564689172ce4cf5350001abf8a32dff840a4e677647c0368b4901f07ef199aeba8
SHA512f34ed9d4d9103819adb33af73c8fe1ee0bc8a643a2a21747c71be0085d2b0b7d2f9964f76cd672ecb97a051e4852973692cfb772f7561c5a7f529f6b476a9f18
-
Filesize
2.6MB
MD5bf65e919d02e2e79e22415d9fc896aba
SHA1270953381ac1cb8f6ffb1f0f86f79fe6ae1197bf
SHA256a1e79e829e95951dd7b70044091eb9b458eba9b5edbecded211fc61d717fcce5
SHA51265817e3bbea8b2548a0e3fcdff97a06270e1f97f25352dffc5cc07d7a8b6842eb7356c0e9e0f4ff8083d9179fe76e490e157e388b47dfbb78d50e47151be0c82
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
3.1MB
MD5197f7a10814e446ee3d649f2509b1608
SHA1a459ec5320318e01318105d8e87e707ea480a4c7
SHA256b4ab50c0c3a89046764d4b805c9c4cf5cbe6ae07aa2eddb5e445c11479a912ce
SHA512b595f5b8de7ecf96cb18f9f1de10bbb4988bb9b6412e1837b49469b78f7f15bbae661b8092b1d46fa6d2bdfeaa5f0e8e0f493c70dbe7d94c66cba325d83e6c85
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5362c0ab3a98c4d259f525abec6668ff7
SHA1041395e93a455e0f3466e82ba7d7f0f06678658f
SHA256795bb0bebc0eddd6cacdf4aa778440807883c525801c331618d9951d9c80e79e
SHA512aef9360d9002ee885d98492fd335d74c048b68dccf5de3b01bd4803bdb6d32faa1de45cf2127d17dff0cf206ffda80415b7680e9d103052a8ab196cbd834d651
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\e564717e-cfbc-4f32-97ee-529a0563d17f
Filesize13KB
MD5b431b02a1b139a993c2c5f741699570f
SHA111293436c7b0d165a71cb828dd961b87ed2ce6e4
SHA2568652d3cdd86bd4ccb1373b5caca097b644d4af643644cdb4a9301605c862a8ff
SHA512f027bd71ca35cdbf3f464252b936537ab8a16eadd5a615c7f0bc5b0dff893595f2543c34e3bde6f693599308a059eb9738ae1fb955889463952b890f971f6da3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\fb0494a7-ef93-44bd-b93a-ef3c62a7310b
Filesize745B
MD51822caa0d2fc70583cb96eb4cdcbbfc5
SHA1d685d32eb9314a77b38a7b0a1be5365e461ac396
SHA256c0449186fae8c17609132279684eb8348180316598479a97990bab8da7afdcf0
SHA5120f169bb37039dc691b85c19208ea576eea7bfa92a8ababca72b6e4c8b21e7951caa28cac26b60eda6f5ece64e5b360e4810cd1622a65fad89f37050e5dd698da
-
Filesize
6KB
MD564510b90273fbf750e1e6a3bc32952fa
SHA1ce46f30e38b5ca72307a18bbbbca809bcaf63110
SHA2563f8cfa500a19a38263fe18eb5e4d0926735c05481b57f4f6356169e451ac875d
SHA512467fb93a598c66277aa9aa8b7f0c567ba30b8810529fafb09579a0112b9f600c7605db8ac47433273d10114e8afc9a12d4d6efae9308da02700225b3af656c7c
-
Filesize
6KB
MD5ac556a54b7bea59504d9dd6ea2d4a3aa
SHA19c5540f1fe036afbd3c615aff7bf24ad9461df55
SHA25658eed88e59020c975fd77de0d431d0f2eb637588d7a288697f18ccf28a64a573
SHA5126afe5b731785708fbc47714a0e85028949ca3fbfaf3383b809d38d8bde13490e84f6596010a0288e00690bd44af1989e59733854ba63844ad45d0f29ec422dc1
-
Filesize
6KB
MD5945c8e6efae76dd0b4a3d56e20cfb88d
SHA126143aca99ef2cddfc4e5a50a51d1b651366ea21
SHA25608850747ed7afb46c365739888c4731b177496ad3687fb824495ac3f505b659c
SHA512818cbe3f0ea0b57be275e6c2bf893bf4654692055118aef78ef1c7b3ae8b40e293ec64561dd22d568e83941486486840b6a289c62eedd36804743a04de413c57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53d95e420bda5497f6bf4aca729f97484
SHA18c1ab0dd370633eba6f005b25e0853f8b46b99e6
SHA256f3989e16691086211d9496094665e879ca46aa9a8000607d5bc90990608631c5
SHA512e1f64ca3b9cecf2509237d467ef27329c11fa437ff2c9c80b3509c2cb36f81e9a5709838516708e84e803689573d7061816d5b0967d239cc0968ca83d1442fe4