Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 21:53
Static task
static1
General
-
Target
9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe
-
Size
3.5MB
-
MD5
bc32de8d97215421a34fd734b10bbd50
-
SHA1
a8bf5f12a9da2e4c8fb229d84e180e95530071ab
-
SHA256
9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb
-
SHA512
4c30330fd3bbb5c36d962985727eb7ce04dfabd847fe5db4bb1790142dc70c127b1b4f5813b2e5ade064e4cf4291956d931e6b208d02df226f38bbdf1caed91f
-
SSDEEP
49152:iynXD6tVLVbhqRm3toeSbmYgt2AN20+q6eaAszjigcKtg5hJh:6jdqRm3+eSwN20X6CszjiDvh
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
cryptbot
http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" HFX64SQRC6T1LS2D09B5IIVMCG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" HFX64SQRC6T1LS2D09B5IIVMCG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" HFX64SQRC6T1LS2D09B5IIVMCG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" HFX64SQRC6T1LS2D09B5IIVMCG.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection HFX64SQRC6T1LS2D09B5IIVMCG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" HFX64SQRC6T1LS2D09B5IIVMCG.exe -
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5060 created 2804 5060 cc52689236.exe 49 -
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF f1722d687f.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 016de88efc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1722d687f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1T31J4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2Y7445.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HFX64SQRC6T1LS2D09B5IIVMCG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fcaaaec432.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cc52689236.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a412c43f30.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/2292-422-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2Y7445.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2Y7445.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 016de88efc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fcaaaec432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cc52689236.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1T31J4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1T31J4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HFX64SQRC6T1LS2D09B5IIVMCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 016de88efc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1722d687f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a412c43f30.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HFX64SQRC6T1LS2D09B5IIVMCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fcaaaec432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1722d687f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cc52689236.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a412c43f30.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1T31J4.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 287c0c2c35.exe -
Executes dropped EXE 34 IoCs
pid Process 3484 1T31J4.exe 2096 skotes.exe 2268 2Y7445.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 2648 LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe 2764 skotes.exe 4084 Dh5yvWY.exe 2188 Sibuia.exe 3848 sibjs.exe 3984 Setup.exe 5100 11.exe 5060 2.exe 3176 FutureApp.exe 2728 740af2c1d3.exe 4760 740af2c1d3.exe 556 016de88efc.exe 5088 fcaaaec432.exe 5076 f1722d687f.exe 5060 cc52689236.exe 3748 edc2fafce9.exe 2916 edc2fafce9.exe 1768 287c0c2c35.exe 2940 7z.exe 2412 7z.exe 736 7z.exe 3500 7z.exe 5032 7z.exe 4864 7z.exe 688 7z.exe 2904 7z.exe 2020 in.exe 4552 a412c43f30.exe 780 skotes.exe 2800 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine HFX64SQRC6T1LS2D09B5IIVMCG.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 016de88efc.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine fcaaaec432.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 2Y7445.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine f1722d687f.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine cc52689236.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine a412c43f30.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 1T31J4.exe -
Loads dropped DLL 18 IoCs
pid Process 4084 Dh5yvWY.exe 3848 sibjs.exe 3848 sibjs.exe 3848 sibjs.exe 3848 sibjs.exe 3176 FutureApp.exe 3176 FutureApp.exe 3176 FutureApp.exe 3176 FutureApp.exe 3176 FutureApp.exe 2940 7z.exe 2412 7z.exe 736 7z.exe 3500 7z.exe 5032 7z.exe 4864 7z.exe 688 7z.exe 2904 7z.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" HFX64SQRC6T1LS2D09B5IIVMCG.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features HFX64SQRC6T1LS2D09B5IIVMCG.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\ProgramData\\FutureApp\\FutureApp.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\ProgramData\\FutureApp\\FutureApp.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3484 1T31J4.exe 2096 skotes.exe 2268 2Y7445.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 2648 LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe 2764 skotes.exe 556 016de88efc.exe 5088 fcaaaec432.exe 5076 f1722d687f.exe 5060 cc52689236.exe 4552 a412c43f30.exe 780 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2728 set thread context of 4760 2728 740af2c1d3.exe 126 PID 3748 set thread context of 2916 3748 edc2fafce9.exe 141 -
resource yara_rule behavioral1/memory/2020-388-0x00007FF77C0D0000-0x00007FF77C560000-memory.dmp upx behavioral1/memory/2020-391-0x00007FF77C0D0000-0x00007FF77C560000-memory.dmp upx behavioral1/memory/2800-420-0x00007FF6F69C0000-0x00007FF6F6E50000-memory.dmp upx behavioral1/memory/2800-433-0x00007FF6F69C0000-0x00007FF6F6E50000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1T31J4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2628 5060 WerFault.exe 133 -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edc2fafce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edc2fafce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 740af2c1d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1722d687f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcaaaec432.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a412c43f30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1T31J4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HFX64SQRC6T1LS2D09B5IIVMCG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 287c0c2c35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc52689236.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sibuia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FutureApp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 016de88efc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2Y7445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dh5yvWY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sibjs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 740af2c1d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5072 powershell.exe 2888 PING.EXE 776 powershell.exe 2328 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2888 PING.EXE 2328 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3484 1T31J4.exe 3484 1T31J4.exe 2096 skotes.exe 2096 skotes.exe 2268 2Y7445.exe 2268 2Y7445.exe 2268 2Y7445.exe 2268 2Y7445.exe 2268 2Y7445.exe 2268 2Y7445.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe 2648 LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe 2648 LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe 2764 skotes.exe 2764 skotes.exe 4760 740af2c1d3.exe 4760 740af2c1d3.exe 4760 740af2c1d3.exe 4760 740af2c1d3.exe 556 016de88efc.exe 556 016de88efc.exe 556 016de88efc.exe 556 016de88efc.exe 556 016de88efc.exe 556 016de88efc.exe 5088 fcaaaec432.exe 5088 fcaaaec432.exe 5088 fcaaaec432.exe 5088 fcaaaec432.exe 5088 fcaaaec432.exe 5088 fcaaaec432.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5076 f1722d687f.exe 5060 cc52689236.exe 5060 cc52689236.exe 5060 cc52689236.exe 5060 cc52689236.exe 5060 cc52689236.exe 5060 cc52689236.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2916 edc2fafce9.exe 2916 edc2fafce9.exe 2916 edc2fafce9.exe 2916 edc2fafce9.exe 5072 powershell.exe 5072 powershell.exe 4552 a412c43f30.exe 4552 a412c43f30.exe 780 skotes.exe 780 skotes.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3500 HFX64SQRC6T1LS2D09B5IIVMCG.exe Token: SeSecurityPrivilege 3176 FutureApp.exe Token: SeRestorePrivilege 2940 7z.exe Token: 35 2940 7z.exe Token: SeSecurityPrivilege 2940 7z.exe Token: SeSecurityPrivilege 2940 7z.exe Token: SeRestorePrivilege 2412 7z.exe Token: 35 2412 7z.exe Token: SeSecurityPrivilege 2412 7z.exe Token: SeSecurityPrivilege 2412 7z.exe Token: SeRestorePrivilege 736 7z.exe Token: 35 736 7z.exe Token: SeSecurityPrivilege 736 7z.exe Token: SeSecurityPrivilege 736 7z.exe Token: SeRestorePrivilege 3500 7z.exe Token: 35 3500 7z.exe Token: SeSecurityPrivilege 3500 7z.exe Token: SeSecurityPrivilege 3500 7z.exe Token: SeRestorePrivilege 5032 7z.exe Token: 35 5032 7z.exe Token: SeSecurityPrivilege 5032 7z.exe Token: SeSecurityPrivilege 5032 7z.exe Token: SeRestorePrivilege 4864 7z.exe Token: 35 4864 7z.exe Token: SeSecurityPrivilege 4864 7z.exe Token: SeSecurityPrivilege 4864 7z.exe Token: SeRestorePrivilege 688 7z.exe Token: 35 688 7z.exe Token: SeSecurityPrivilege 688 7z.exe Token: SeSecurityPrivilege 688 7z.exe Token: SeRestorePrivilege 2904 7z.exe Token: 35 2904 7z.exe Token: SeSecurityPrivilege 2904 7z.exe Token: SeSecurityPrivilege 2904 7z.exe Token: SeDebugPrivilege 5072 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3484 1T31J4.exe 3176 FutureApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 3484 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 83 PID 2024 wrote to memory of 3484 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 83 PID 2024 wrote to memory of 3484 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 83 PID 3484 wrote to memory of 2096 3484 1T31J4.exe 84 PID 3484 wrote to memory of 2096 3484 1T31J4.exe 84 PID 3484 wrote to memory of 2096 3484 1T31J4.exe 84 PID 2024 wrote to memory of 2268 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 85 PID 2024 wrote to memory of 2268 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 85 PID 2024 wrote to memory of 2268 2024 9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe 85 PID 2268 wrote to memory of 3500 2268 2Y7445.exe 103 PID 2268 wrote to memory of 3500 2268 2Y7445.exe 103 PID 2268 wrote to memory of 3500 2268 2Y7445.exe 103 PID 2268 wrote to memory of 2648 2268 2Y7445.exe 104 PID 2268 wrote to memory of 2648 2268 2Y7445.exe 104 PID 2268 wrote to memory of 2648 2268 2Y7445.exe 104 PID 2096 wrote to memory of 4084 2096 skotes.exe 106 PID 2096 wrote to memory of 4084 2096 skotes.exe 106 PID 2096 wrote to memory of 4084 2096 skotes.exe 106 PID 4084 wrote to memory of 2188 4084 Dh5yvWY.exe 107 PID 4084 wrote to memory of 2188 4084 Dh5yvWY.exe 107 PID 4084 wrote to memory of 2188 4084 Dh5yvWY.exe 107 PID 2188 wrote to memory of 3848 2188 Sibuia.exe 110 PID 2188 wrote to memory of 3848 2188 Sibuia.exe 110 PID 2188 wrote to memory of 3848 2188 Sibuia.exe 110 PID 2188 wrote to memory of 3984 2188 Sibuia.exe 111 PID 2188 wrote to memory of 3984 2188 Sibuia.exe 111 PID 2188 wrote to memory of 3984 2188 Sibuia.exe 111 PID 2188 wrote to memory of 5100 2188 Sibuia.exe 112 PID 2188 wrote to memory of 5100 2188 Sibuia.exe 112 PID 2188 wrote to memory of 5100 2188 Sibuia.exe 112 PID 5100 wrote to memory of 1248 5100 11.exe 113 PID 5100 wrote to memory of 1248 5100 11.exe 113 PID 5100 wrote to memory of 1248 5100 11.exe 113 PID 2188 wrote to memory of 5060 2188 Sibuia.exe 117 PID 2188 wrote to memory of 5060 2188 Sibuia.exe 117 PID 2188 wrote to memory of 5060 2188 Sibuia.exe 117 PID 1248 wrote to memory of 3172 1248 cmd.exe 118 PID 1248 wrote to memory of 3172 1248 cmd.exe 118 PID 1248 wrote to memory of 3172 1248 cmd.exe 118 PID 1248 wrote to memory of 732 1248 cmd.exe 119 PID 1248 wrote to memory of 732 1248 cmd.exe 119 PID 1248 wrote to memory of 732 1248 cmd.exe 119 PID 5060 wrote to memory of 1616 5060 2.exe 120 PID 5060 wrote to memory of 1616 5060 2.exe 120 PID 5060 wrote to memory of 1616 5060 2.exe 120 PID 1616 wrote to memory of 3176 1616 cmd.exe 122 PID 1616 wrote to memory of 3176 1616 cmd.exe 122 PID 1616 wrote to memory of 3176 1616 cmd.exe 122 PID 2096 wrote to memory of 2728 2096 skotes.exe 124 PID 2096 wrote to memory of 2728 2096 skotes.exe 124 PID 2096 wrote to memory of 2728 2096 skotes.exe 124 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2728 wrote to memory of 4760 2728 740af2c1d3.exe 126 PID 2096 wrote to memory of 556 2096 skotes.exe 128 PID 2096 wrote to memory of 556 2096 skotes.exe 128 PID 2096 wrote to memory of 556 2096 skotes.exe 128 PID 2096 wrote to memory of 5088 2096 skotes.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4260 attrib.exe 3728 attrib.exe 2304 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2804
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe"C:\Users\Admin\AppData\Local\Temp\9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1T31J4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1T31J4.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\1017082001\Dh5yvWY.exe"C:\Users\Admin\AppData\Local\Temp\1017082001\Dh5yvWY.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\FutureApp\Sibuia.exeC:\Users\Admin\AppData\Local\Temp\FutureApp\Sibuia.exe TRUE 111 05⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\FutureApp\sibjs.exe"C:\Users\Admin\AppData\Local\Temp\FutureApp\sibjs.exe" TRUE 000 False cond_pkg6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\FutureApp\0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\FutureApp\0\Setup.exe" -s6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\FutureApp\1\11.exe"C:\Users\Admin\AppData\Local\Temp\FutureApp\1\11.exe" -s6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\FutureApp\1.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\ProgramData\FutureApp\FutureApp.exe"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3172
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\ProgramData\FutureApp\FutureApp.exe"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FutureApp\2\2.exe"C:\Users\Admin\AppData\Local\Temp\FutureApp\2\2.exe" -s6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\FutureApp\2.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\ProgramData\FutureApp\FutureApp.exeC:\ProgramData\FutureApp\FutureApp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3176
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017120001\016de88efc.exe"C:\Users\Admin\AppData\Local\Temp\1017120001\016de88efc.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\1017121001\fcaaaec432.exe"C:\Users\Admin\AppData\Local\Temp\1017121001\fcaaaec432.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\1017122001\f1722d687f.exe"C:\Users\Admin\AppData\Local\Temp\1017122001\f1722d687f.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\1017123001\cc52689236.exe"C:\Users\Admin\AppData\Local\Temp\1017123001\cc52689236.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 7725⤵
- Program crash
PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017125001\287c0c2c35.exe"C:\Users\Admin\AppData\Local\Temp\1017125001\287c0c2c35.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵PID:764
-
C:\Windows\system32\mode.commode 65,106⤵PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:4260
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:3728
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017126001\a412c43f30.exe"C:\Users\Admin\AppData\Local\Temp\1017126001\a412c43f30.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Y7445.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Y7445.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\HFX64SQRC6T1LS2D09B5IIVMCG.exe"C:\Users\Admin\AppData\Local\Temp\HFX64SQRC6T1LS2D09B5IIVMCG.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe"C:\Users\Admin\AppData\Local\Temp\LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 50601⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:780
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:776 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273B
MD56830c0150df001a38bb0861ca4b845fc
SHA175d73856cd61dd44f24963b3d37b1d5643da0340
SHA256c6dd5ebe08a4b916d36891d1ee4dce580a373f7e0dca5da285962bf18e55e696
SHA5121891d90c288af59a27ed6cd5d9f221fc8155181c7825effc97680c11530d880688cce3c3e0e6649c8b213cfc4acc1a619039bda225fc3c803ca57014da0ef779
-
Filesize
54B
MD596067949bdf249671fc66c8f2449d637
SHA1f0d988b6e0d8b06ddefa34a8a8cf72dd701ffbfd
SHA2564af87dbcf275ac56834c2c693e70da7e505f750ef450da7c2ae1cf889dd8a33d
SHA512a33fbf868f71a70ffd692c361e7c821155d4be63adafa95c918772674697a6e94c5340487fcf0e82036c11fb8cfe22f102704daac53039bb441896918ef2b070
-
Filesize
103KB
MD58d9709ff7d9c83bd376e01912c734f0a
SHA1e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA25649a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
257B
MD57067af414215ee4c50bfcd3ea43c84f0
SHA1c331d410672477844a4ca87f43a14e643c863af9
SHA2562050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA51217b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
702B
MD5a4aa9219becdeec09159270bb041bb35
SHA12d08305017efb0a1ff7defdf66db80191ed9ccf8
SHA256277b9bcb5778cd5dc167ed75528818b06ed12f3fd427339f3085f4db8a39ed2e
SHA5124f7ce001da009fcba0c5beab572a16306d56fd91253c45d5196892142da78ec805982a4e1c136ad61471b5a951697eed76f9ee63d8b94eb64024a11e0fd0de42
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
6.2MB
MD57ec59ba110bb9588ca11fd5eff41a0cb
SHA1e1bb61da5dcf038e30ea2faa058714a75f3d08be
SHA256723bdcaa98933334bda7454d1e50083c743da9c72edcd2a9e879cf024c4d1eb1
SHA51266e3f5d55f3d0f89f53f80db88f7de1451d46c59a221fb56341a84864fc22235f3a490fc5d6a820dea98c2615e7649f2ff44f67b96870137e0314afa90bd17ec
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
4.3MB
MD5083ab041d543588b128c08732eb1a935
SHA12aab4765f9b00521a5d79764bf61d1c95a8a07c7
SHA2566db4256ed69b6154cfbb1456b8b69154e50e6446a04874c0d4824ecaa36c76a3
SHA51216bab58b6f485f6feb0fa1bbd453a08c055e47f46830d60f05371cc0181c3950beb596b691821374cb436a7ced52a186a1fed33ef121700de8a19714f4181997
-
Filesize
1.9MB
MD593bf2910301e6f4b2ef217e83a36b5b5
SHA1a2b029ef8f590a25f170c9b0421366306a3a254d
SHA2560765fe1adbe71b297e93089dc7cc3498ea625239800f66e03643c8831d377d1e
SHA5124f1423acd48d265fc24b05f9d77293239288c8618eafc94a0ee3bbb32ebf61bc4e5f2725f8301dd063835821d4ab18d98582be202867d1ceca750cfd23f1b2a9
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.3MB
MD539cb781a70f40105ffdbb75e77aa6d7f
SHA179805738b703d0b7375140a0067f720f6ff5fb99
SHA256c3ce51918df45e9cae14921d25c0419397003733e9ada04a33e4cde97013e2e6
SHA5121d131ff871ee80937334672c905f8e94cb43d28e22843a7a6538cb54ec060ed01e02d48ab5569218bdb57248c6e2c7920e54ecb506f75ef7cefeb200c4587a98
-
Filesize
5.1MB
MD5860d1f0fea634d144687ca9b4ee03312
SHA1204cbef54d7eb4dbcdca7aed5db8fad259fb4ff1
SHA2568201f374070f944d650a02a5d8ee365dacd92ef4b175aaf4ad994f0f5fd86047
SHA512d8d32a0978c859efde07e1b26886d9f1397889c46f051e632236ad0bdd009c866b6e4f1b494424ab4ea420304a3107abbac00de56512c1588595150f0fcf18e4
-
Filesize
323KB
MD575064ea68fb7baeec3681034d9267a12
SHA1555ba32a06cb3d5da92ab44540786dab3b27e0f9
SHA25648fec89589b940e903923b588f3dcbb636676b15ba39e7b644a0c185bdea695e
SHA5129621ce7c64a84064ab374110239296aadd5ffecf03ba7ed1e605978d2c28f279858fb2c814e8675a9257fc9b85eabaaa06aedcc17cfaa6dc49f257c573464bb4
-
Filesize
323KB
MD5f76410e6255ed89c286c35b7b7c5269a
SHA18a22735312d9a4692350464b107ed5872bf2527e
SHA2560b8c0c908da39e77e0ef2f4b3b0eb96f3709d052252e0eae619790c61fc42b81
SHA51251792ac3843450672ede7a44e1dab0509b26e1ab4d2fa93d08c0d25644920bc5afbeb35372cf55a99fa624f61c5e1188ee9d3bff58808c9b3d7c8f61c95435d7
-
Filesize
4KB
MD5c87335758e909c8cc2006896026291e5
SHA1c235435d74a5c411fca494640f0367f0c898603c
SHA256bbb4de5522fd19c27180d907946e1bfa57ef89f2ff1ca365b75d9c166ef61df1
SHA5127bdcdaad66abb725f52fb5569b7e4f2b7e17367b6bbdffb94699c360cc9ed803c51cd097832510d9adb3dfb9a2577431833fe3b58ff31522e993a411df2dc777
-
Filesize
66KB
MD5640f3d42e52e3d361569c3fb6bb4441d
SHA12c7acdc20d3788b58bf139f304ed38ceaa98af31
SHA256ffc17acf3f3c8e73b944e279fee7ecaf6fac46ec4c305aedc1c51122db256e37
SHA5125429b2ede62400166950e6385b44612960338ccb7162b82fe7e62cb6e48b9e07be22eea6a8c798defb5320a34a8e26d85e71886754e8e8a71d0a0ffc30ba1158
-
Filesize
2.1MB
MD5cb98aab3f8a161d55d04086ffcafbbbd
SHA114c4c97c22d6c3456da33c59ed1dc9d8f86fdc73
SHA25694a297719f304bb12f650d693984db73c7a72685f28cdeeca2fa34a407808231
SHA512fd79696e98c8e3f9a422fa879c28b3305f007b8ea5efd80b5524704b8bea8183c0ba11d4336d5a4aed1c97b17a668b488808fb0a0f7614f001a32c48e3d8083b
-
Filesize
2.2MB
MD5a27781beec02a26de306aae4f1a07eca
SHA156cfe4516031a3cbb6e9ea93d910447914f22e01
SHA256845bb388322c35078cfc9d47d4d1752b62f796f4defa79215004547a040d0704
SHA512dfc25773b867805c5ffaabde22be435512cf9597237aacb4627f6b66c69f68180f78877983b5099dba7b3792a0a0836ad0991004af1a9271b3827d53aca03236
-
Filesize
5KB
MD529cd6e1c8ff658a4ddb263711010f910
SHA1d52bf677db91278c332a2de7ce7f425c8a6b5e40
SHA256d3e610de7de2f7af4458c76debcbad3a770ecbb8d08360523448559a4baa8cc4
SHA5126f42b277418524f396899ee7aa11223676e0a630235ac0daf513fe0cdc69adace5de4b66d98b559b3cdc195e064873d67c26767f7ae0ed80a2d5d4527e62137b
-
Filesize
1.7MB
MD579570b0cf02a64d470b0eba42fc95917
SHA107831967f7a32b71159261db90b5df73eaf84b9e
SHA25652fc1e8680bc6187367fe55785ff1b9592be46e6a6621824511d3cf748a86c24
SHA512bdf8d29356eaf6819c6d6ae2911ad911a941b4f917ef11b28aa6891e4890286fbbc7dd7c86c4c911aeaf3c75dd748a44220ff6e2da9d482218f14a79f8d592af
-
Filesize
2.8MB
MD5d066fa57fe45e81e1718b9626b469209
SHA1cffa0cb764cf71bfae214a68f5dfb799a0a4c614
SHA25696e780dc197438053737878154b2f1bc4c7476f3ec487c88a5ebd7d91a0570fb
SHA51207b3a818c8efa477dc000ec1acf9b4b7a882993da58d02cdc59901cfa55a00a9f727b554c34173cfb1bd924d0f85d4ec1fff7527e0f02b3750bd24af4c81899d
-
Filesize
1.8MB
MD5df0dce83067b009b5190d62f241fb4fe
SHA1648df52d7f8f675df4b752d146103a63447c6ea9
SHA2562bc198b56d532a372c320219e02d1041f0cbd41872ee886f43e9ca8a9124dee6
SHA512cae71eae242590094f58697240f3aa0461ff15e92dae8d5e6eaca053c7a7d54a824272c46b93a110f9981b25d8757b06717214e5b2b35453766ed5fbfa94dc5f
-
Filesize
2.8MB
MD5c717ce97d1ccb5e1e40ab567fcc1a6c2
SHA14f7fc6b325ed56442667126f527a7a8dd701d0f1
SHA25633a44faa62d905dcb4a870dac7bb2f5e206b624b0be0db5800d98597b42b670e
SHA512a61cbcd7ccf743a2c18f7fc9c225d9dac056f198f60ba9c1cf43aa73f55eeaca925240917dcbe36185a579e5aa3341b43fb1df12963b2820fd309cb5642322e3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
146KB
MD52fab606d750aad11fbf8e0a9060172db
SHA1b2e40332e179f921a73c64ea09a54c0f2bf75959
SHA256d3289b09fc9c37a80f0215b5c8c7990b9d3353e0c27cc4689e806d6026b6dda7
SHA5121670ddfb2233c346a8cd5ee88700697c17123923da964e115c6ade238f77b421f51bf6459bf46bb3966f1de8fdeeeda774d7100b5c5dac46e53e738e8691ab1f