Malware Analysis Report

2024-12-07 17:30

Sample ID 241112-fkhx3awalj
Target 6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe
SHA256 90cf4369120d4d8a353986a55a7418b7fee3ba57885af28a7328d301ea09cc93
Tags
amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90cf4369120d4d8a353986a55a7418b7fee3ba57885af28a7328d301ea09cc93

Threat Level: Known bad

The file 6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe was found to be: Known bad.

Malicious Activity Summary

amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Lumma Stealer, LummaC

Stealc family

Amadey family

Stealc

Amadey

Lumma family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Windows security modification

Checks BIOS information in registry

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 04:55

Reported

2024-11-12 04:57

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A

Reads data files stored by FTP clients

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\794b2d6343.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005692001\\794b2d6343.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08987960de.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005694001\\08987960de.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 4484 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 4484 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 1692 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 1692 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 1692 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 3908 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3908 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3908 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 4484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 4484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 4484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 1016 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4780 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4780 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3604 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe
PID 3604 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe
PID 3604 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe
PID 3604 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3604 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3604 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3604 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe
PID 3604 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe
PID 3604 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe

"C:\Users\Admin\AppData\Local\Temp\6c5dc28581c45c6debe0810184ce134e456895f0572c657bbb036c92bac89805N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe

"C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe

"C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 presticitpo.store udp
US 8.8.8.8:53 crisiwarny.store udp
US 8.8.8.8:53 fadehairucw.store udp
US 8.8.8.8:53 thumbystriw.store udp
US 8.8.8.8:53 necklacedmny.store udp
US 8.8.8.8:53 founpiuer.store udp
US 8.8.8.8:53 navygenerayk.store udp
US 8.8.8.8:53 scriptyprefej.store udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

MD5 c3a949833a4a77388c9d278084868bf2
SHA1 c1ccbe6146d98e96ee02adf0fd297cbc92237709
SHA256 3021414754d72ad9d34ea792cef5362384325ff5b3ed75bb534b8618546e5d90
SHA512 3ff6a290e51bdb7f781378b5d43eb6997cef9bfcb7de7f239d910f4d6fb1f44254679102c7fa08aa1445298d55477c26fd9fd64ea6d205e5e4930e497a568b26

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

MD5 74ba48529515c95320f4a86fc42fc668
SHA1 c33b2b0c5e43e5ac274206ae964cf85bb8718048
SHA256 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
SHA512 16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8

memory/3908-14-0x0000000000330000-0x000000000064C000-memory.dmp

memory/3908-15-0x00000000777C4000-0x00000000777C6000-memory.dmp

memory/3908-16-0x0000000000331000-0x0000000000399000-memory.dmp

memory/3908-17-0x0000000000330000-0x000000000064C000-memory.dmp

memory/3908-18-0x0000000000330000-0x000000000064C000-memory.dmp

memory/3908-33-0x0000000000331000-0x0000000000399000-memory.dmp

memory/3908-32-0x0000000000330000-0x000000000064C000-memory.dmp

memory/3604-30-0x0000000000300000-0x000000000061C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

MD5 a8f20ad3d41973d7375370b0b7e0f206
SHA1 1e7775500a8838eb99511557a0a6b91001711e77
SHA256 945c4e520925902102b0b7435d34ae82952150535847dbb9bae31e319c62ac00
SHA512 74915dbf9abb08f258c5f64ec12b19bbbafb0a09a6f01b322cbb3594f9ce3469b352b6279e0b2dcb817ac5a2fc0635c0dd860bd649138326f164ea6193951891

memory/2804-37-0x0000000000710000-0x0000000000A1E000-memory.dmp

memory/2804-39-0x0000000000710000-0x0000000000A1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

MD5 5f44f2bb693c50d1141aa214dac22796
SHA1 aa3408aaf55c7fc92b90cdbb08075c2b59a7a6dc
SHA256 184b2aee425e019ac00a1000a882e5d01e4175e90d84ca0e473db487d43add7d
SHA512 4ea0f394a1ec64d7c97b726d7df92519ac87d053e3c1030b0bd8a3fd9b41beed1f48008f85b02b5de2f505e2283888e142dfb8dd3499440b3c00e28da9f23d4e

memory/1016-43-0x0000000000C70000-0x000000000138F000-memory.dmp

C:\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/380-52-0x0000000000300000-0x000000000061C000-memory.dmp

memory/1016-54-0x0000000000C70000-0x000000000138F000-memory.dmp

memory/380-56-0x0000000000300000-0x000000000061C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005692001\794b2d6343.exe

MD5 66f2b773bda9a47871b418efd3917f62
SHA1 08ed72903bb00244327ab65faae9e11c6b5b9903
SHA256 b540bea2b0fba5ebafd1f61f21be96f8855227a5dbe713bf44dd55e45f747b2f
SHA512 067dc63810fcf8b8c171a36fec98518517871d8cf8604a63bfe53630351f395501fa56ba5406de7a9780f677fb5f9e33c7e372e3eb01311e4d9a01760eee1542

memory/4800-72-0x0000000000AC0000-0x000000000114C000-memory.dmp

memory/3604-73-0x0000000000300000-0x000000000061C000-memory.dmp

memory/4800-75-0x0000000000AC0000-0x000000000114C000-memory.dmp

memory/3604-77-0x0000000000300000-0x000000000061C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005694001\08987960de.exe

MD5 cb344a42a4c3889f25cf1bcd8c6a2809
SHA1 17619d8b941e97e73a0e461ea7b2d678758e21ef
SHA256 8d5cdf57b2a9236db16e95f17f96bcc0515bc90f199c0b850319278bdfd45f54
SHA512 8fa893e0131701990e7bb5cb2a1d5e771b2937fe65f4d914b1c1f8cee098b7470c7f6299b87e0ef0c0d63c0edc0b424d61d9521468a44f3458ee918c3ab12338

memory/3448-96-0x00000000002B0000-0x0000000000570000-memory.dmp

memory/3448-97-0x00000000002B0000-0x0000000000570000-memory.dmp

memory/3448-98-0x00000000002B0000-0x0000000000570000-memory.dmp

memory/3604-99-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3448-101-0x00000000002B0000-0x0000000000570000-memory.dmp

memory/3448-104-0x00000000002B0000-0x0000000000570000-memory.dmp

memory/3604-105-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-106-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-107-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-108-0x0000000000300000-0x000000000061C000-memory.dmp

memory/1068-110-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-111-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-112-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-113-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-114-0x0000000000300000-0x000000000061C000-memory.dmp

memory/3604-115-0x0000000000300000-0x000000000061C000-memory.dmp