Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 02:33
Static task
static1
General
-
Target
a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe
-
Size
2.9MB
-
MD5
1d272c9aa998704c62b578a03ea79db0
-
SHA1
0bfb5ffd37a278143649f15efbf3b8725b25f89b
-
SHA256
a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a
-
SHA512
8de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8
-
SSDEEP
49152:0wH8eUbUu/g2CpfY3m9/Py/vxbhOQ1kK1dkUsVXos3xfHfMm3ScftLQJiME+N:0wT5u/g2CpfY3m9/PexbQAkK1dkh3xvL
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://shineugler.biz/api
https://tacitglibbr.biz/api
Extracted
cryptbot
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://shineugler.biz/api
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ H9TU4oY.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion H9TU4oY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion H9TU4oY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk 2GxWWLQ9MnO4hseH.exe -
Executes dropped EXE 7 IoCs
pid Process 3616 skotes.exe 1576 skotes.exe 1612 H9TU4oY.exe 4444 ShtrayEasy35.exe 2236 2GxWWLQ9MnO4hseH.exe 1128 IQ7ux2z.exe 2904 sUSFJjY.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine H9TU4oY.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XCEXiMEo\\2GxWWLQ9MnO4hseH.exe" 2GxWWLQ9MnO4hseH.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5580 powercfg.exe 6224 powercfg.exe 5552 powercfg.exe 2880 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0003000000000709-16216.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 3616 skotes.exe 1576 skotes.exe 1612 H9TU4oY.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6864 3180 WerFault.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language H9TU4oY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ShtrayEasy35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2GxWWLQ9MnO4hseH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IQ7ux2z.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6996 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 6104 taskkill.exe 5472 taskkill.exe 5272 taskkill.exe 6812 taskkill.exe 6112 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 3616 skotes.exe 3616 skotes.exe 1576 skotes.exe 1576 skotes.exe 1612 H9TU4oY.exe 1612 H9TU4oY.exe 4444 ShtrayEasy35.exe 4444 ShtrayEasy35.exe 2236 2GxWWLQ9MnO4hseH.exe 2236 2GxWWLQ9MnO4hseH.exe 1612 H9TU4oY.exe 1612 H9TU4oY.exe 1612 H9TU4oY.exe 1612 H9TU4oY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1128 IQ7ux2z.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1664 wrote to memory of 3616 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 83 PID 1664 wrote to memory of 3616 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 83 PID 1664 wrote to memory of 3616 1664 a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe 83 PID 3616 wrote to memory of 1612 3616 skotes.exe 86 PID 3616 wrote to memory of 1612 3616 skotes.exe 86 PID 3616 wrote to memory of 1612 3616 skotes.exe 86 PID 3616 wrote to memory of 4444 3616 skotes.exe 91 PID 3616 wrote to memory of 4444 3616 skotes.exe 91 PID 3616 wrote to memory of 4444 3616 skotes.exe 91 PID 4444 wrote to memory of 2236 4444 ShtrayEasy35.exe 92 PID 4444 wrote to memory of 2236 4444 ShtrayEasy35.exe 92 PID 4444 wrote to memory of 2236 4444 ShtrayEasy35.exe 92 PID 3616 wrote to memory of 1128 3616 skotes.exe 97 PID 3616 wrote to memory of 1128 3616 skotes.exe 97 PID 3616 wrote to memory of 1128 3616 skotes.exe 97 PID 3616 wrote to memory of 2904 3616 skotes.exe 99 PID 3616 wrote to memory of 2904 3616 skotes.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe"C:\Users\Admin\AppData\Local\Temp\a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\1015327001\H9TU4oY.exe"C:\Users\Admin\AppData\Local\Temp\1015327001\H9TU4oY.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\XCEXiMEo\2GxWWLQ9MnO4hseH.exeC:\Users\Admin\AppData\Local\Temp\XCEXiMEo\2GxWWLQ9MnO4hseH.exe 44444⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"4⤵PID:5880
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"3⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUA4⤵PID:1436
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"3⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"C:\Users\Admin\AppData\Local\Temp\1015876001\e97b83f7ed.exe"4⤵PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015877001\2040396f00.exe"C:\Users\Admin\AppData\Local\Temp\1015877001\2040396f00.exe"3⤵PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\1015878001\1bc94216f2.exe"C:\Users\Admin\AppData\Local\Temp\1015878001\1bc94216f2.exe"3⤵PID:4412
-
-
C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe"C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe"3⤵PID:3180
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015879001\4cf25f5804.exe" & rd /s /q "C:\ProgramData\0R1N7QQIMOZM" & exit4⤵PID:2656
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
PID:6996
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 20684⤵
- Program crash
PID:6864
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015880001\a61c1eb788.exe"C:\Users\Admin\AppData\Local\Temp\1015880001\a61c1eb788.exe"3⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\GJDBSL7ZHH0PQ67KYAMQXT89.exe"C:\Users\Admin\AppData\Local\Temp\GJDBSL7ZHH0PQ67KYAMQXT89.exe"4⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\C16QQ59TPHAVD1LW3N.exe"C:\Users\Admin\AppData\Local\Temp\C16QQ59TPHAVD1LW3N.exe"4⤵PID:3296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015881001\450f155b1a.exe"C:\Users\Admin\AppData\Local\Temp\1015881001\450f155b1a.exe"3⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\1015882001\efb3b5ed51.exe"C:\Users\Admin\AppData\Local\Temp\1015882001\efb3b5ed51.exe"3⤵PID:6712
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:6812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- Kills process with taskkill
PID:6112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- Kills process with taskkill
PID:6104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- Kills process with taskkill
PID:5472
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- Kills process with taskkill
PID:5272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:6856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵PID:2588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471c9042-e096-45fa-b46c-c6e1af8bc20f} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" gpu6⤵PID:6124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22b11d65-9538-40a9-b3d4-12c25a09521a} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" socket6⤵PID:5892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de28d0b1-4bdb-41a4-af6d-6361b2462a70} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab6⤵PID:3576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983c2276-40c2-49da-9a6c-e3c88b727f48} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab6⤵PID:1908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1416 -prefMapHandle 4276 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c8e591-01e3-45c1-9da6-44cda10f559a} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" utility6⤵PID:6032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3116a89-66b9-4b35-ada6-f2102b91a7e7} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab6⤵PID:3716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {853e92eb-7269-4f63-beca-183d1d19fb2d} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab6⤵PID:6592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b1f3567-ebd0-44ae-b5e1-76ca0d978bb6} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab6⤵PID:5192
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015883001\6e3ff0ef11.exe"C:\Users\Admin\AppData\Local\Temp\1015883001\6e3ff0ef11.exe"3⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\1015884001\edfed99544.exe"C:\Users\Admin\AppData\Local\Temp\1015884001\edfed99544.exe"3⤵PID:6164
-
-
C:\Users\Admin\AppData\Local\Temp\1015885001\f2fdf0ed0e.exe"C:\Users\Admin\AppData\Local\Temp\1015885001\f2fdf0ed0e.exe"3⤵PID:6960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵PID:1892
-
C:\Windows\system32\mode.commode 65,105⤵PID:5416
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵PID:6496
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"1⤵PID:5776
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:2880
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5552
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:6224
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5580
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:7124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3180 -ip 31801⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵PID:528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD5f53b6d9888b5a6262ced98b7d0a506c9
SHA194cb458f3e23929191e7fd50d4f77a31093890f8
SHA2561b1ba36e8e55b0ce1756ce9fab17b603de08be16f006d202ad857841bc71f6b4
SHA5128448199126afa6fbbe4dc90a682c64d6eff3b86ffaa4bd0f305dd7059f74c48eb126f43c2abc042918955bcae2b5347b82798e6b5a3e1d624a59ca790dfcf39a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.7MB
MD56c1d0dabe1ec5e928f27b3223f25c26b
SHA1e25ab704a6e9b3e4c30a6c1f7043598a13856ad9
SHA25692228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d
SHA5123a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9
-
Filesize
256KB
MD5c37a981bc24c4aba6454da4eecb7acbe
SHA12bffdf27d0d4f7c810e323c1671a87ed2d6b644f
SHA256d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361
SHA5122f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8
-
Filesize
2.8MB
MD5262910eb7fc46edcb0d3fd7f6f17ed86
SHA1bab28bfa59dfd46cbe199459e3444196c886c71b
SHA2566fdbc3d0051edb05905ad7ba78cdba76673449b7740bbfb90f4cf7ed8c773711
SHA512c6d0d4079a4ca491bff01512b53ee213b8262273f06345b46b46b56e600ea11278698099f0fdd94cc0252bb76b4e398fb50a13c925b9941ab764a8fdbe238f97
-
Filesize
2.8MB
MD50dad190f420a0a09ed8c262ca18b1097
SHA1b97535bf2960278b19bda8cad9e885b8eefbdc85
SHA25629e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a
SHA5128ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646
-
Filesize
87KB
MD53c104350cc2661c345673e91ed672c4c
SHA1d205e94d47949cf3bc3f5226978f6d370c3d3b94
SHA2561fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4
SHA5129c02bde2d096e181f00e906f4e242905d0e54dd207f309764805c7444c9f43073106812ade97fca9fc2363f59ed071371276880ce85e9a307fcdb03d3250cf6a
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
4.2MB
MD53617bfad36063c68a129b7e2bd89ceef
SHA16621e1f1403b9fa874124c374021034a3c86421e
SHA256e5637e64459e1868bf6318ea3b48b76ecf3f5669992ba882a7ddab2567af8b24
SHA512fdf2d08361b48faccf5ee0e2f04104f07f4677a0299a80d49cf50aabd952a6bb23332f51b12102d87c01ee3291bf1bc3833035e42d613e4c35e657dc06044c21
-
Filesize
4.3MB
MD5c5f945671aec219fd0af66f72065a536
SHA17956212b4272158ebf29243e79067cc73066fee6
SHA2567fdc637cd02ad95b233c17569424fe28b53228f5d7dc853dc1449527ad2fd05d
SHA5121cf363e35bbdaa90af47ff79e59a3175559b81d6ec63b296534793b1b406b883dd0b89412b0115be4a42041d27c15e97e494b284e092397d1878b8dfb544144a
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
1.8MB
MD5f9694cb15c258cf8125cf0c317c77479
SHA1ad7ab004164e247a32fb8eb4187103a1eaf73657
SHA25637aafa95a96bdc9144593c820466f3f063cd0e9fb3c6d2bcfab4c1bf0b61e51b
SHA51241504ae13f21e126508b91cdacc3d993790b7ce6001a0d58353860ad4eccb76858f553f4dd49d1960fae09a777160493932c0bb9acebd3bad3aae6e0dc2e2351
-
Filesize
1.7MB
MD5f660a7ff99befe7ae52d2636a0e8db46
SHA141b7e90dbf2ce54bd4e3048d0dc1b7e9d59d81ee
SHA256526d8ce745c14bac28de547ee616d66bec13517e558da772982b41cb9d6dda62
SHA5124f13dc0b5c8003b3dc7a5f3faa02c4e103da106722d53494a74e419756d1ce8c35b308641e7690bb932002b0d16411caedb60e63138d33cbfe78520ca8bd0240
-
Filesize
946KB
MD56bf59db9dafe72201466700ea8cb334d
SHA1e3649b55eb5141245e634374aa4a6385dba214e6
SHA256acdc360a0c9680c407d43df48f143af92d99d5c034a152e78b5da5220dbeb249
SHA512f44354e412d85b7025c486d2582976f684a57216267c37dbc2fea2b6ba5e9808a098f663258569a5a998d849e97b15a15d617f834e9b768e01391daf0ff261bd
-
Filesize
2.6MB
MD5e5cfad81f5397d7eeed2e7251b7e6e7a
SHA184184161e1b542773e5c74909ce37bb1f8f2238e
SHA25646cb31f14f15b4f13d203fe4138401adccf3163cf405fe907e7ee86bbd1c2387
SHA512fad966d925810d75be01d20b2b2bbf45755a30d385754878764fec0f1d45100490ba8c4ea279429f91c627cfa8f6b0e2abc70abdb8b645dddf1abd4cf021656a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD51d272c9aa998704c62b578a03ea79db0
SHA10bfb5ffd37a278143649f15efbf3b8725b25f89b
SHA256a33b0b0c51bcff2ee0eb94ee480383fbf4971bc723f06c95361b24805d8e4f9a
SHA5128de05686653f6779327abd212946ea3bcad946fd6e014accd47d411d58c7eb95b62365e015daa0ea94d6bb5835227e7c657fca72a88a1de41674e99a078be6c8
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
1KB
MD5f1358bff48b36280aa92a53b83f0ff38
SHA14975bbb3bc33cc0cca7d9c508aa1ffcb0cfe5b48
SHA256f8f1c343928201165c52d00e6d785d59ec98f9f27ffb7e005f2f7a59510f0925
SHA512da9f515938b13532c4f7b45f92cedbeb462aac8891ae7c17e0cb07757d310e45926a643cd302f0a0574ff015cb31181b2a1ca54e0e2d433382416c19e0d6dabc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize8KB
MD57ae88575fb2871047e9350dc66c4a39e
SHA12cf401652472f9583cc1de5703eef11d08c1a8ec
SHA25696c6b2783a44920f8e83802407c381169048942fb4cdb24d28c3e84c60d09d32
SHA5122f17385fe2728c933bbc8e245e3b169baa9353acc890fbda917850881114a0b2f902fa5d2fabd5d72eb54397ecffb3c3efc627eb0fb6f1c293b77231c2f1aaf2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD567612784bb7581902c7fa28b7e514cfe
SHA127fb3b6897f30076af387cca0d64da8f1a78f0f8
SHA256b06e5ade49fb7a914ba2472c0c9bdc4880e862ab0e4c26f64a952aaa3e12daac
SHA512298c610795c90651fb49ed87606307e5ab882285d9ed16648decc1fa2944b6ce9b102bf910f6dec5651770ff0e7e833f08eff609cd32c380969b816f0b92a110
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5462ffb2c80a1d7050a1e4fe0a989ac90
SHA132451d68ffdb7919aab5bd9d4477d5dc99d4f250
SHA256112986dfb6b5449ada643b86eda48e4686e39e789c9b2e617ca7403a04ecb596
SHA5129eb035aad61a9a89d357b0330aa07fedc5299ba860c3fc5305497d8fa3f0c515b053c2392779ddf0ed4e2ced27abf2ccff505b7c1f140dd5a008eddc54b5ca5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD569489c2b2a666dffcc96b1d464a7edf9
SHA11fc95272e2e4b10c6dfa7fa629a43a295c0aa817
SHA2569f5b2eb0842ae118db288fc7662eb42e407ed1cb64ce7c95f36a74b0f235e2e7
SHA512ff7b9532d70139c9801b47a7ca3d6a8b6ce901d41e49597fe675a5905518b9e76bc167daf56a452e5d2059932e9e055aa9721783888b645a687918f70f430e54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\42166efd-a965-474f-9280-63e05b36b172
Filesize659B
MD532e2c4299c8698331229c3cc2d164252
SHA1349b8e5be97be21b5177de7fb8f3cb1572c6220e
SHA2563ceab137c4258b4143c0673972a691d945f2e524f62c6b5326f880b5408815bf
SHA5129453ee52aebd2357d1f54ce96767437b1be547791d6364b95c0edc5978fbcc406eb5fdb635e186cd2f288cce88ddedd3b5c43e47b1b8f35f9a2c7511c58d1d34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\723976ed-416f-4bab-99c1-4a0df611ab37
Filesize982B
MD568c94c999c73146d6a1d4cc170705215
SHA1095bcf1f044a546a338d9b2010a5e0cbbe4a891d
SHA25638ae0e7e5cccd2fbffa9928b2957126065c6e10e4f4f15649233f36506575cdc
SHA5122e8c726601cd20f290f30707c447873a7c92ef4d8837a56c7093fa06501039b7952b814b2cabf73d67e2a7b4f9b716c4c3288bff20f8757fb6fb349aab3f1fea
-
Filesize
10KB
MD5ec9341ef08754d61e51960d742a52102
SHA11fa599fa0d4cc7ab556fb6cb8de54daf85af6b7e
SHA25634b7ecff3675bf66f167f423048536b69e210902436f5afe5472a3b64c2ffabb
SHA512d6b3f44d60cce46ebc3ad521a6c04c3caa1267ae6503c08fe1c23f3cbb81e3d6032c04f25aea4b5e8e6b3325bb94671bee09afaecfdff782cf21bb1217d82a73
-
Filesize
10KB
MD5e4d4b07409f05b162104d412ec1df9fa
SHA16bc0b432a0a93a43675d1672052578f11e5cfc27
SHA256e661a7835171f1c30ab97df720fc2aa13b2b954247bb85f1ad068146098ae6d5
SHA512553277f695919b859696d35f9a4cf32bcd82b1b2a380879866cf0eafcfa59c23f4b3bb7d9355debd55318989fae8c93925323b2ffd1e1076cad0c00c67e0953c