Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
Resource
win10v2004-20241007-en
General
-
Target
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
-
Size
2.8MB
-
MD5
8cbe0ced0c0f7bfbdf19128ba80adb99
-
SHA1
15e615a0fe64fe5200dd916232d9bc26b1c3d815
-
SHA256
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
-
SHA512
4b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
-
SSDEEP
49152:kNv6yZz1fXBB9nu/SkIK3OdW+56W0xSDmoJb3:s6yZz1fRB9nu/SkIK3ibpDmA
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5156 created 1184 5156 5373bd9355.exe 21 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF ee0ae43080.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5373bd9355.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 585d15ddcd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f42ccbfef9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b3179ddffa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a26f2f14d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ee0ae43080.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c79eeace14.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7b44644e33.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f0962d902e.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5964 powershell.exe 9936 powershell.exe 6660 powershell.exe 6816 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b3179ddffa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a26f2f14d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5373bd9355.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5373bd9355.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ee0ae43080.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f0962d902e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ee0ae43080.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 585d15ddcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c79eeace14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c79eeace14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f42ccbfef9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f0962d902e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a26f2f14d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 585d15ddcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7b44644e33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7b44644e33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f42ccbfef9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b3179ddffa.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApproximateSize.vbs UZAj8wc.exe -
Executes dropped EXE 39 IoCs
pid Process 304 skotes.exe 2656 INOKWGC.exe 2880 8ZVMneG.exe 1792 8ZVMneG.exe 1972 UZAj8wc.exe 2984 b3179ddffa.exe 1420 5bff4ae5b7.exe 3180 5bff4ae5b7.exe 3736 f0962d902e.exe 4240 c7ac8b2876.exe 4688 a26f2f14d4.exe 5156 5373bd9355.exe 5776 26fbef1867.exe 6080 c7ac8b2876.exe 10224 1a9c033c34.exe 3448 7z.exe 3588 7z.exe 3776 7z.exe 3856 7z.exe 3976 7z.exe 4076 7z.exe 4176 7z.exe 4256 7z.exe 4404 in.exe 5552 Intel_PTT_EK_Recertification.exe 832 ee0ae43080.exe 4568 585d15ddcd.exe 5300 eaffa2d4bb.exe 5680 eaffa2d4bb.exe 5712 eaffa2d4bb.exe 492 c59adc6d69.exe 6360 3c31b3e3c1.exe 6520 d15273a03c.exe 7248 c79eeace14.exe 7856 7b44644e33.exe 8340 6e78a3cb47.exe 2924 3c31b3e3c1.exe 5636 f42ccbfef9.exe 6128 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine a26f2f14d4.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 5373bd9355.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 7b44644e33.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine f42ccbfef9.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine ee0ae43080.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 585d15ddcd.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine c79eeace14.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine b3179ddffa.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine f0962d902e.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 2880 8ZVMneG.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 1420 5bff4ae5b7.exe 1356 WerFault.exe 1356 WerFault.exe 1356 WerFault.exe 1356 WerFault.exe 1356 WerFault.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 4240 c7ac8b2876.exe 304 skotes.exe 3292 cmd.exe 3448 7z.exe 3292 cmd.exe 3588 7z.exe 3292 cmd.exe 3776 7z.exe 3292 cmd.exe 3856 7z.exe 3292 cmd.exe 3976 7z.exe 3292 cmd.exe 4076 7z.exe 3292 cmd.exe 4176 7z.exe 3292 cmd.exe 4256 7z.exe 3292 cmd.exe 3292 cmd.exe 5400 taskeng.exe 5400 taskeng.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 5300 eaffa2d4bb.exe 5300 eaffa2d4bb.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 304 skotes.exe 6360 3c31b3e3c1.exe 304 skotes.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\c79eeace14.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018117001\\c79eeace14.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b44644e33.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018118001\\7b44644e33.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\6e78a3cb47.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018119001\\6e78a3cb47.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\f42ccbfef9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018120001\\f42ccbfef9.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3179ddffa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018024001\\b3179ddffa.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001a4b0-3835.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 304 skotes.exe 2984 b3179ddffa.exe 3736 f0962d902e.exe 4688 a26f2f14d4.exe 5156 5373bd9355.exe 832 ee0ae43080.exe 4568 585d15ddcd.exe 7248 c79eeace14.exe 7856 7b44644e33.exe 5636 f42ccbfef9.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2880 set thread context of 1792 2880 8ZVMneG.exe 33 PID 1420 set thread context of 3180 1420 5bff4ae5b7.exe 43 PID 4240 set thread context of 6080 4240 c7ac8b2876.exe 54 PID 5552 set thread context of 5596 5552 Intel_PTT_EK_Recertification.exe 82 PID 5300 set thread context of 5712 5300 eaffa2d4bb.exe 91 PID 6360 set thread context of 2924 6360 3c31b3e3c1.exe 122 PID 6128 set thread context of 2228 6128 Intel_PTT_EK_Recertification.exe 125 -
resource yara_rule behavioral1/memory/4404-3656-0x000000013F9E0000-0x000000013FE70000-memory.dmp upx behavioral1/memory/5552-3668-0x000000013F590000-0x000000013FA20000-memory.dmp upx behavioral1/memory/5552-3678-0x000000013F590000-0x000000013FA20000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1356 1972 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3179ddffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaffa2d4bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f42ccbfef9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bff4ae5b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 6e78a3cb47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZAj8wc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bff4ae5b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c31b3e3c1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 6e78a3cb47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c79eeace14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e78a3cb47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c31b3e3c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a26f2f14d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26fbef1867.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0962d902e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5373bd9355.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7ac8b2876.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b44644e33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7ac8b2876.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a9c033c34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d15273a03c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee0ae43080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaffa2d4bb.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4548 powershell.exe 2972 PING.EXE 5812 powershell.exe 1712 PING.EXE 868 powershell.exe 2304 PING.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 8416 taskkill.exe 8636 taskkill.exe 8804 taskkill.exe 8956 taskkill.exe 9076 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a b3179ddffa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a b3179ddffa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 b3179ddffa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a b3179ddffa.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2304 PING.EXE 2972 PING.EXE 1712 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 304 skotes.exe 1972 UZAj8wc.exe 1972 UZAj8wc.exe 1972 UZAj8wc.exe 2984 b3179ddffa.exe 1284 powershell.exe 1972 UZAj8wc.exe 3736 f0962d902e.exe 4688 a26f2f14d4.exe 5156 5373bd9355.exe 5156 5373bd9355.exe 5156 5373bd9355.exe 5156 5373bd9355.exe 5156 5373bd9355.exe 5548 dialer.exe 5548 dialer.exe 5548 dialer.exe 5548 dialer.exe 5776 26fbef1867.exe 5964 powershell.exe 5964 powershell.exe 6080 c7ac8b2876.exe 6080 c7ac8b2876.exe 9936 powershell.exe 4548 powershell.exe 5552 Intel_PTT_EK_Recertification.exe 5812 powershell.exe 832 ee0ae43080.exe 832 ee0ae43080.exe 832 ee0ae43080.exe 832 ee0ae43080.exe 832 ee0ae43080.exe 832 ee0ae43080.exe 4568 585d15ddcd.exe 6520 d15273a03c.exe 6660 powershell.exe 6816 powershell.exe 7248 c79eeace14.exe 7856 7b44644e33.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 5636 f42ccbfef9.exe 5636 f42ccbfef9.exe 6128 Intel_PTT_EK_Recertification.exe 868 powershell.exe 5636 f42ccbfef9.exe 5636 f42ccbfef9.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 1972 UZAj8wc.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1972 UZAj8wc.exe Token: SeDebugPrivilege 5776 26fbef1867.exe Token: SeDebugPrivilege 6080 c7ac8b2876.exe Token: SeDebugPrivilege 5964 powershell.exe Token: SeDebugPrivilege 9936 powershell.exe Token: SeRestorePrivilege 3448 7z.exe Token: 35 3448 7z.exe Token: SeSecurityPrivilege 3448 7z.exe Token: SeSecurityPrivilege 3448 7z.exe Token: SeRestorePrivilege 3588 7z.exe Token: 35 3588 7z.exe Token: SeSecurityPrivilege 3588 7z.exe Token: SeSecurityPrivilege 3588 7z.exe Token: SeRestorePrivilege 3776 7z.exe Token: 35 3776 7z.exe Token: SeSecurityPrivilege 3776 7z.exe Token: SeSecurityPrivilege 3776 7z.exe Token: SeRestorePrivilege 3856 7z.exe Token: 35 3856 7z.exe Token: SeSecurityPrivilege 3856 7z.exe Token: SeSecurityPrivilege 3856 7z.exe Token: SeRestorePrivilege 3976 7z.exe Token: 35 3976 7z.exe Token: SeSecurityPrivilege 3976 7z.exe Token: SeSecurityPrivilege 3976 7z.exe Token: SeRestorePrivilege 4076 7z.exe Token: 35 4076 7z.exe Token: SeSecurityPrivilege 4076 7z.exe Token: SeSecurityPrivilege 4076 7z.exe Token: SeRestorePrivilege 4176 7z.exe Token: 35 4176 7z.exe Token: SeSecurityPrivilege 4176 7z.exe Token: SeSecurityPrivilege 4176 7z.exe Token: SeRestorePrivilege 4256 7z.exe Token: 35 4256 7z.exe Token: SeSecurityPrivilege 4256 7z.exe Token: SeSecurityPrivilege 4256 7z.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 5812 powershell.exe Token: SeLockMemoryPrivilege 5596 explorer.exe Token: SeDebugPrivilege 6360 3c31b3e3c1.exe Token: SeDebugPrivilege 6520 d15273a03c.exe Token: SeDebugPrivilege 6660 powershell.exe Token: SeDebugPrivilege 6816 powershell.exe Token: SeDebugPrivilege 8416 taskkill.exe Token: SeDebugPrivilege 8636 taskkill.exe Token: SeDebugPrivilege 8804 taskkill.exe Token: SeDebugPrivilege 8956 taskkill.exe Token: SeDebugPrivilege 9076 taskkill.exe Token: SeDebugPrivilege 2492 firefox.exe Token: SeDebugPrivilege 2492 firefox.exe Token: SeLockMemoryPrivilege 2228 explorer.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 5636 f42ccbfef9.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 2492 firefox.exe 2492 firefox.exe 2492 firefox.exe 2492 firefox.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 2492 firefox.exe 2492 firefox.exe 2492 firefox.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe 8340 6e78a3cb47.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 304 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 28 PID 2868 wrote to memory of 304 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 28 PID 2868 wrote to memory of 304 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 28 PID 2868 wrote to memory of 304 2868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 28 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2656 304 skotes.exe 30 PID 304 wrote to memory of 2880 304 skotes.exe 31 PID 304 wrote to memory of 2880 304 skotes.exe 31 PID 304 wrote to memory of 2880 304 skotes.exe 31 PID 304 wrote to memory of 2880 304 skotes.exe 31 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 2880 wrote to memory of 1792 2880 8ZVMneG.exe 33 PID 304 wrote to memory of 1972 304 skotes.exe 34 PID 304 wrote to memory of 1972 304 skotes.exe 34 PID 304 wrote to memory of 1972 304 skotes.exe 34 PID 304 wrote to memory of 1972 304 skotes.exe 34 PID 304 wrote to memory of 2984 304 skotes.exe 38 PID 304 wrote to memory of 2984 304 skotes.exe 38 PID 304 wrote to memory of 2984 304 skotes.exe 38 PID 304 wrote to memory of 2984 304 skotes.exe 38 PID 1972 wrote to memory of 1284 1972 UZAj8wc.exe 39 PID 1972 wrote to memory of 1284 1972 UZAj8wc.exe 39 PID 1972 wrote to memory of 1284 1972 UZAj8wc.exe 39 PID 1972 wrote to memory of 1284 1972 UZAj8wc.exe 39 PID 304 wrote to memory of 1420 304 skotes.exe 41 PID 304 wrote to memory of 1420 304 skotes.exe 41 PID 304 wrote to memory of 1420 304 skotes.exe 41 PID 304 wrote to memory of 1420 304 skotes.exe 41 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1420 wrote to memory of 3180 1420 5bff4ae5b7.exe 43 PID 1972 wrote to memory of 1356 1972 UZAj8wc.exe 44 PID 1972 wrote to memory of 1356 1972 UZAj8wc.exe 44 PID 1972 wrote to memory of 1356 1972 UZAj8wc.exe 44 PID 1972 wrote to memory of 1356 1972 UZAj8wc.exe 44 PID 304 wrote to memory of 3736 304 skotes.exe 45 PID 304 wrote to memory of 3736 304 skotes.exe 45 PID 304 wrote to memory of 3736 304 skotes.exe 45 PID 304 wrote to memory of 3736 304 skotes.exe 45 PID 304 wrote to memory of 4240 304 skotes.exe 46 PID 304 wrote to memory of 4240 304 skotes.exe 46 PID 304 wrote to memory of 4240 304 skotes.exe 46 PID 304 wrote to memory of 4240 304 skotes.exe 46 PID 304 wrote to memory of 4688 304 skotes.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4480 attrib.exe 4460 attrib.exe 4388 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe"C:\Users\Admin\AppData\Local\Temp\055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"4⤵
- Executes dropped EXE
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUA5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 7405⤵
- Loads dropped DLL
- Program crash
PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018024001\b3179ddffa.exe"C:\Users\Admin\AppData\Local\Temp\1018024001\b3179ddffa.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\1018104001\5bff4ae5b7.exe"C:\Users\Admin\AppData\Local\Temp\1018104001\5bff4ae5b7.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\1018104001\5bff4ae5b7.exe"C:\Users\Admin\AppData\Local\Temp\1018104001\5bff4ae5b7.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018105001\f0962d902e.exe"C:\Users\Admin\AppData\Local\Temp\1018105001\f0962d902e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\1018106001\c7ac8b2876.exe"C:\Users\Admin\AppData\Local\Temp\1018106001\c7ac8b2876.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\1018106001\c7ac8b2876.exe"C:\Users\Admin\AppData\Local\Temp\1018106001\c7ac8b2876.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018107001\a26f2f14d4.exe"C:\Users\Admin\AppData\Local\Temp\1018107001\a26f2f14d4.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\1018108001\5373bd9355.exe"C:\Users\Admin\AppData\Local\Temp\1018108001\5373bd9355.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5156
-
-
C:\Users\Admin\AppData\Local\Temp\1018109001\26fbef1867.exe"C:\Users\Admin\AppData\Local\Temp\1018109001\26fbef1867.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\cfesajd"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:9936
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018110001\1a9c033c34.exe"C:\Users\Admin\AppData\Local\Temp\1018110001\1a9c033c34.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:10224 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵
- Loads dropped DLL
PID:3292 -
C:\Windows\system32\mode.commode 65,106⤵PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:4460
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:4480
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018111001\ee0ae43080.exe"C:\Users\Admin\AppData\Local\Temp\1018111001\ee0ae43080.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\1018112001\585d15ddcd.exe"C:\Users\Admin\AppData\Local\Temp\1018112001\585d15ddcd.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"5⤵
- Executes dropped EXE
PID:5680
-
-
C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"C:\Users\Admin\AppData\Local\Temp\1018113001\eaffa2d4bb.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5712
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018114001\c59adc6d69.exe"C:\Users\Admin\AppData\Local\Temp\1018114001\c59adc6d69.exe"4⤵
- Executes dropped EXE
PID:492
-
-
C:\Users\Admin\AppData\Local\Temp\1018115001\3c31b3e3c1.exe"C:\Users\Admin\AppData\Local\Temp\1018115001\3c31b3e3c1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6360 -
C:\Users\Admin\AppData\Local\Temp\1018115001\3c31b3e3c1.exe"C:\Users\Admin\AppData\Local\Temp\1018115001\3c31b3e3c1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018116001\d15273a03c.exe"C:\Users\Admin\AppData\Local\Temp\1018116001\d15273a03c.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\feayps"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6816
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018117001\c79eeace14.exe"C:\Users\Admin\AppData\Local\Temp\1018117001\c79eeace14.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7248
-
-
C:\Users\Admin\AppData\Local\Temp\1018118001\7b44644e33.exe"C:\Users\Admin\AppData\Local\Temp\1018118001\7b44644e33.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7856
-
-
C:\Users\Admin\AppData\Local\Temp\1018119001\6e78a3cb47.exe"C:\Users\Admin\AppData\Local\Temp\1018119001\6e78a3cb47.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8340 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:9200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.0.1275378654\210650365" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {876a4116-4d4f-438f-8299-27dfdcea16d0} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 1276 110bbf58 gpu7⤵PID:9516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.1.1973026540\525594211" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ba548cd-57eb-490a-be8e-1f285b22e94c} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 1492 d74b58 socket7⤵PID:9640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.2.7232946\2074564379" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77315c15-000d-43b0-8448-69bccbdb7bae} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 2108 1a8b1f58 tab7⤵PID:3096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.3.1456431494\796407134" -childID 2 -isForBrowser -prefsHandle 2852 -prefMapHandle 2848 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15e67fa0-e4fa-4db8-8e5b-8e5d2e880f88} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 2864 1b79e958 tab7⤵PID:264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.4.1840387097\1198504279" -childID 3 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1896a42a-e5a6-4582-ab9f-46d3a285d563} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3748 1bd4fe58 tab7⤵PID:1936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.5.2104227064\2100945327" -childID 4 -isForBrowser -prefsHandle 3844 -prefMapHandle 3848 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc179d13-8d67-4505-9e16-6794565ec675} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3756 1bd50458 tab7⤵PID:2416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.6.1516795082\2056251601" -childID 5 -isForBrowser -prefsHandle 3856 -prefMapHandle 3916 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9259b8a9-cf78-4709-ad32-8dbf3cf690d6} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3936 1bd51958 tab7⤵PID:1804
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018120001\f42ccbfef9.exe"C:\Users\Admin\AppData\Local\Temp\1018120001\f42ccbfef9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5636
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A330D9D-7A07-4F60-9497-8B2CB0F1B718} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:5400 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5552 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5812 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
-
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6128 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2304
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp
Filesize31KB
MD5ff54be723af3b7067779d86ea20fcd44
SHA16d5c87cd8f23039522b6659e68b756a6bd682d13
SHA256ca6927c8d2897e0ef432f1515364021b59b86b03aab07a6ffba58c9dde44487b
SHA512ee60afc17dc980b4746c8d7be7b49b71c9f8017af4cbb0de69837f3b98ab08023e74c08d7940e827d760c1cd2bc88e9dd3667d392f395c143b147ba4b26d3ac5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.3MB
MD5669ed3665495a4a52029ff680ec8eba9
SHA17785e285365a141e307931ca4c4ef00b7ecc8986
SHA2562d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6
SHA512bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6
-
Filesize
791KB
MD5e8af4d0d0b47ac68d762b7f288ae8e6e
SHA11d65f31526cc20ab41d6b1625d6674d7f13e326c
SHA256b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
SHA51280fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a
-
Filesize
935KB
MD55b99682cb740202d783dde58ca97f045
SHA1cecae054552ce295feaa0717d2a33e870addcadd
SHA256724e283e1bb29a150c9bebc21bdf0e250e2d87257bf86c889bbe7544329c6882
SHA512c37a2cb06407729344adb85d814223a24ec4fa65f711c7f02c0e77395ec969b7e1bd64a6f5806d4e2d88c8461587d68b6aae3378d2cf5c92f1ade2aacc13f2b2
-
Filesize
2.7MB
MD5af13a753c8a31d591e122e15c1d717bd
SHA1396f37a0874f2bea3d397b7fe7a770f2ef6be173
SHA25605724ef44c4401e17e540e65e3ab7d0d0ffcdb933040cfd38920f9eba67a5845
SHA512b3bbb544e6af579fc3c2f6c52bbac936597b012dc9d094abc7f503122fc3619d6a3a4d4f1b53ef0b3cddd44f6e3f141003f1747b599318c0891131564afef6b2
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
1.9MB
MD5ed9fb7650e33c7fa5cf0c7dd57483eed
SHA1847fd45efadd1a7c37548771b07a5f007ab4aa40
SHA25637c00d35c082a812602fe1609e5bc87b20864123358828bbc47de9d7498694e1
SHA512440ea66a6056b283312b32c1195f88cd6e8a518af0a8a88c0c51c4b93bad3ef1ce6c5712d84088061192ed4530105f15de04d44e4d3d1ca25cf0b5bd849ccb80
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.2MB
MD58664a5a6e958f985735b8a17171550bc
SHA13deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
SHA256ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
SHA512adc1c9bc3af3a39b066a9231ef6bd9119d48dff41a4e5bfac695c40a5d2b9e5e9f4eb6e4779408cd7f22fe0e7e5697d7fa314778864fd13bb321db3f8d0514b0
-
Filesize
4.3MB
MD535e2c99a2fed28f4148ef7f4c1431df4
SHA18b05aa4709fd09892238baa7a14f42d58dd58d14
SHA256d01a1b39c935e182b6e4d6c2c15dfe35a59b086fe55bbea0338bc35626a1d3df
SHA512e03cfe592504f165fdd3a04dc3293d2ac786c51b9b59f6ebc0560013aadde66bdfdcb3c93cd225b51cdff831050e1bfc94977ed761006f10a852fe132a6cebb8
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
1.8MB
MD5905a055e55bf1bead1d2df06d2fc9888
SHA10b69e66478bdaa14ea3da0f88cdf8a6b84ba3731
SHA2567f0d53beb82e6590383049463e0375c9905a277b0af46ee79f614ecbe343fd95
SHA512f0295c0e8cc6a3c1146a20c7107b1e7c17cd66d632f8b91b461062451e9ef940e116273cc13b51d780826c9ceee903f3cab7261b43ec9a76ccd01e96de3812d9
-
Filesize
2.8MB
MD552b49bc4dc2268ae5d827a065d5723f7
SHA10fd5a4079dac939869e243966987ece4e146a7fa
SHA256a29343dda6e66875bb76baed5a655a8ea66e0c9759ac76bc3673d3453746282b
SHA51273ce864ecb62eb1d6e022bce9fbf55d2a5765b534e42da616a0560e8c4e8ae034a340f515f234153ae786513a7da76a8ef3b317ef95050afd58fc4eb8dc23adf
-
Filesize
947KB
MD52b09cc7c70204429da7ec05b29fd0487
SHA1688a15b873282d198c33bf387134c4f893878a06
SHA256199114dbdd79a936831dbf3cd57f1ec188bd7ac86ab3971b5dda91040df20408
SHA512382b93aff7c7118a120aa3414efdc428887f5c6353345b12fb62c994d16fa4a26638b988ca46afcf5c86a18da34eafa7770954a6c22a1ab57fe19b2651b87cd1
-
Filesize
2.7MB
MD54e8d2ba58e7eaf8e12bbfbae1766da3b
SHA1c3ad2a4dde5cbd84f903876484f7079b130af930
SHA2564b1089921522eb16c95c7bd868ae9e0688d035714f94b0a3564503b65126614a
SHA512b21e3215e8a8f3ccd30cea8d7bfd3be36c60cffa115106409aae78654081984f2c4536c6180dd255c5e52da07a374f727b6b48c0f7b8686129f5f70e882beea9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.8MB
MD58cbe0ced0c0f7bfbdf19128ba80adb99
SHA115e615a0fe64fe5200dd916232d9bc26b1c3d815
SHA256055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
SHA5124b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L9AKJ1ZBNQVWWUTUA8HS.temp
Filesize7KB
MD50276aa12b493e0cd413c1d93fab1a83d
SHA19e021b5fb288debaab148ede8057e353135c9650
SHA25652a000d6327742913daa4825dc4a2b0448bfb6ca8f369921b6edf40b619467b0
SHA512f4b6d0a8b2b4fd1a133fdf8eb08e003e797188049ae4d09814da4fbf8d6ab4f236b87bffcf99f4b60cc895fd3803d8504348166f18a2ce3b873010bb716e29e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d2391870f66c87acdd253f5034bf58df
SHA139d08ae95083fa00845318069c454fa671c7de18
SHA256efd7dec555ae8dfb669c7931a2e76bb5c1af380404b5678a205ae3038340e73a
SHA512318fe377ea82c0a050896fadd5ebfb5ae6eac628c004fe1f6b2fe24747a3eb32ddfcaf03e1e04758eafc9824c7634929bc8b0c84b5f03cb2894caa6250bd82b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD54c930031be0a9f083586d5acda2eea53
SHA1948e12508f5aef57ddb861a831be50ef217eb753
SHA256a205af008f2bb4be55a6d6ff6269e4fd23eb38f6eed36b3dd186efc9d2802f78
SHA5124bd470017ad19e156573073ef9e68b1f242b61b1fc3bff680419dd7260c01167ca71f0657c05f2519527e00b78a929092803dc5f223e2598c46c0f5d3aa3af3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\1c54aba8-9fcb-4aba-b303-88f403c4f918
Filesize733B
MD5ec71576bb7b4f7e60385f608ab06938a
SHA16fc70c0d18f292012aedb25b43781977b882ff10
SHA256b106c8a26613f1aed29ba6bd5f97012dcf2632fcc70e31b1d51370e74a1caebd
SHA512a1fff1f9f0961a87de2a1243da9b46f3080d531281127a5e78fa728530f0ad7bb62bab163aa5a8d9916b744fd7191e65ec67dfcf8db3b5e3696204aa2cbe635d
-
Filesize
6KB
MD5466f072eeffaacc7430d1ec7058b26d1
SHA11e56c4b27832b8a36a4affa11ff54f942949c9ce
SHA256cbe05ac2f1db9e3c7c792a105eb66753c50127197e484f381da7c8b482bb53c7
SHA5124a37106bd75f3eaf8f01b3bc9b332bf15f765b9ac0504a151555879f94e5120f564bd3e639182435a34ac38423604c969c88d58cf617bd80378dd95cdd884025
-
Filesize
6KB
MD5fede96dec562541d99f20847a9542d3f
SHA19632c2a48c71c053c6a7f6e414eff71fd929ae25
SHA256489a509a42371f0bee24c774fdf1d974719aa368201aa0d0b706d7d98fae1b14
SHA5120ffe64e7ec96f5917e0e27776477c0301b3b836d8db22b302df811a253d7cf60158ee3782ff21e2d721b9d36f93f8059cfa6a683a23d72e3a0aecc57a13e85c9
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628