Creates mutexes. Mutexes can be used to synchronize different processes the sample may create or inject, or to indicate that the system is already infected. Therefore, the spawned process %programfiles(x86)%\windows nt\accessories\wordpad.exe creates the mutex Local\WinSpl64To32Mutex_17a79_0_3000.
Techniques were used to test the duration of sleep functions.
To know when the registry keys are modified, the original file %profile%\downloads\0\smtptesttool_v4\smtp_test_tool_v4\smtptesttool.exe asks to be notified when the registry key hklm\software\policies\microsoft\windows\tenantrestrictions\payload is changed.
Network accesses can be used for the following reasons: check for Internet connection, report a new infection to its author, receive configuration or other data, receive instructions, search for its location, upload information etc. The original file %profile%\downloads\0\smtptesttool_v4\smtp_test_tool_v4\smtptesttool.exe connects to the domain raw.githubusercontent.com/georgjf/SMTPtool/master/update/updateInfo.xml.
The spawned process %programfiles(x86)%\windows nt\accessories\wordpad.exe deletes the registry key hkcu\software\microsoft\windows\currentversion\applets\wordpad\recent file list.
Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from a different location, storing information or modifying existing files to restrict access or destroying user data. The original file %programfiles%\google\chrome\application\chrome.exe deletes the following files:
%windir%\systemtemp\scoped_dir4340_784400186
%windir%\systemtemp\scoped_dir4340_18120656
%windir%\systemtemp\scoped_dir4340_567352189
%windir%\systemtemp\scoped_dir4340_94387942
%windir%\systemtemp\scoped_dir4340_1544912612
%windir%\systemtemp\scoped_dir4340_1214354537
%windir%\systemtemp\scoped_dir4340_1742097795
%windir%\systemtemp\scoped_dir4340_2086781759
%windir%\systemtemp\scoped_dir4340_1164514383
%windir%\systemtemp\scoped_dir4340_1701877775
%windir%\systemtemp\scoped_dir4340_2088946744
Creates mutexes. Mutexes can be used to synchronize different processes the sample may create or inject, or to indicate that the system is already infected. Therefore, the spawned process %programfiles(x86)%\windows nt\accessories\wordpad.exe creates the mutex Local\WinSpl64To32Mutex_17a79_0_3000.
Techniques were used to test the duration of sleep functions.
To know when the registry keys are modified, the original file %profile%\downloads\0\smtptesttool_v4\smtp_test_tool_v4\smtptesttool.exe asks to be notified when the registry key hklm\software\policies\microsoft\windows\tenantrestrictions\payload is changed.
Network accesses can be used for the following reasons: check for Internet connection, report a new infection to its author, receive configuration or other data, receive instructions, search for its location, upload information etc. The original file %profile%\downloads\0\smtptesttool_v4\smtp_test_tool_v4\smtptesttool.exe connects to the domain raw.githubusercontent.com/georgjf/SMTPtool/master/update/updateInfo.xml.
The spawned process %programfiles(x86)%\windows nt\accessories\wordpad.exe deletes the registry key hkcu\software\microsoft\windows\currentversion\applets\wordpad\recent file list.
Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from a different location, storing information or modifying existing files to restrict access or destroying user data. The original file %programfiles%\google\chrome\application\chrome.exe deletes the following files:
%windir%\systemtemp\scoped_dir4340_784400186
%windir%\systemtemp\scoped_dir4340_18120656
%windir%\systemtemp\scoped_dir4340_567352189
%windir%\systemtemp\scoped_dir4340_94387942
%windir%\systemtemp\scoped_dir4340_1544912612
%windir%\systemtemp\scoped_dir4340_1214354537
%windir%\systemtemp\scoped_dir4340_1742097795
%windir%\systemtemp\scoped_dir4340_2086781759
%windir%\systemtemp\scoped_dir4340_1164514383
%windir%\systemtemp\scoped_dir4340_1701877775
%windir%\systemtemp\scoped_dir4340_2088946744