Malware Analysis Report

2024-12-07 17:34

Sample ID 241112-q7y8nstgna
Target 188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe
SHA256 188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61
Tags
amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61

Threat Level: Known bad

The file 188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe was found to be: Known bad.

Malicious Activity Summary

amadey lumma stealc 9c9aa5 tale credential_access discovery evasion persistence spyware stealer trojan

Stealc

Stealc family

Amadey

Lumma family

Amadey family

Modifies Windows Defender Real-time Protection settings

Lumma Stealer, LummaC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Windows security modification

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads data files stored by FTP clients

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:54

Reported

2024-11-12 13:57

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A

Reads data files stored by FTP clients

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0898519412.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005755001\\0898519412.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b835e8b39.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005757001\\8b835e8b39.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 1376 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 1376 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
PID 4788 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 4788 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 4788 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
PID 4092 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4092 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4092 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4788 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 4788 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 4788 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
PID 1376 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 1376 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 1376 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
PID 4740 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4536 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4536 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe
PID 2528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe
PID 2528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2528 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2528 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe
PID 2528 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe
PID 2528 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe

Processes

C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe

"C:\Users\Admin\AppData\Local\Temp\188451538cc9c6f530966e63fc9871f99e3320761a45fabba2ec47d7b7f64f61.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe

"C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe

"C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 presticitpo.store udp
US 8.8.8.8:53 crisiwarny.store udp
US 8.8.8.8:53 fadehairucw.store udp
US 8.8.8.8:53 thumbystriw.store udp
US 8.8.8.8:53 necklacedmny.store udp
US 8.8.8.8:53 founpiuer.store udp
US 8.8.8.8:53 navygenerayk.store udp
US 8.8.8.8:53 scriptyprefej.store udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe

MD5 c3a949833a4a77388c9d278084868bf2
SHA1 c1ccbe6146d98e96ee02adf0fd297cbc92237709
SHA256 3021414754d72ad9d34ea792cef5362384325ff5b3ed75bb534b8618546e5d90
SHA512 3ff6a290e51bdb7f781378b5d43eb6997cef9bfcb7de7f239d910f4d6fb1f44254679102c7fa08aa1445298d55477c26fd9fd64ea6d205e5e4930e497a568b26

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe

MD5 74ba48529515c95320f4a86fc42fc668
SHA1 c33b2b0c5e43e5ac274206ae964cf85bb8718048
SHA256 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
SHA512 16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8

memory/4092-14-0x0000000000280000-0x000000000059C000-memory.dmp

memory/4092-15-0x0000000077BD4000-0x0000000077BD6000-memory.dmp

memory/4092-16-0x0000000000281000-0x00000000002E9000-memory.dmp

memory/4092-17-0x0000000000280000-0x000000000059C000-memory.dmp

memory/4092-19-0x0000000000280000-0x000000000059C000-memory.dmp

memory/4092-33-0x0000000000281000-0x00000000002E9000-memory.dmp

memory/4092-32-0x0000000000280000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe

MD5 a8f20ad3d41973d7375370b0b7e0f206
SHA1 1e7775500a8838eb99511557a0a6b91001711e77
SHA256 945c4e520925902102b0b7435d34ae82952150535847dbb9bae31e319c62ac00
SHA512 74915dbf9abb08f258c5f64ec12b19bbbafb0a09a6f01b322cbb3594f9ce3469b352b6279e0b2dcb817ac5a2fc0635c0dd860bd649138326f164ea6193951891

memory/3404-36-0x0000000000D90000-0x000000000109E000-memory.dmp

memory/2528-30-0x0000000000680000-0x000000000099C000-memory.dmp

memory/3404-39-0x0000000000D90000-0x000000000109E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe

MD5 5f44f2bb693c50d1141aa214dac22796
SHA1 aa3408aaf55c7fc92b90cdbb08075c2b59a7a6dc
SHA256 184b2aee425e019ac00a1000a882e5d01e4175e90d84ca0e473db487d43add7d
SHA512 4ea0f394a1ec64d7c97b726d7df92519ac87d053e3c1030b0bd8a3fd9b41beed1f48008f85b02b5de2f505e2283888e142dfb8dd3499440b3c00e28da9f23d4e

memory/4740-43-0x0000000000F90000-0x00000000016AF000-memory.dmp

C:\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/4740-52-0x0000000000F90000-0x00000000016AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005755001\0898519412.exe

MD5 25b574f2239f60ad04f625eee5216745
SHA1 2cdb1245e4149fc829e1b4250ff8331daa61179f
SHA256 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972
SHA512 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82

memory/1816-68-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2332-71-0x0000000000C90000-0x000000000132B000-memory.dmp

memory/2332-72-0x0000000000C90000-0x000000000132B000-memory.dmp

memory/2528-74-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-75-0x0000000000680000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005757001\8b835e8b39.exe

MD5 079d8ff64998ac428f4860a3ed06ba5b
SHA1 38232293df478df95afc960ea74a9b974ac67818
SHA256 44a5915b16812fcffbcb574f5f06e7421ad9e802d95ceef4a6b0664baf18e39f
SHA512 b46923a74db8ea2557efe678fa10a1b5778656755ff24776405efb7585b8fce31b8561e5ce01c9820ff27ce700191f4ba2d8d1acb9c7cad3d5b6ae6d078c3d1a

memory/3224-94-0x0000000000C50000-0x0000000000F04000-memory.dmp

memory/3224-95-0x0000000000C50000-0x0000000000F04000-memory.dmp

memory/3224-96-0x0000000000C50000-0x0000000000F04000-memory.dmp

memory/2528-97-0x0000000000680000-0x000000000099C000-memory.dmp

memory/3224-99-0x0000000000C50000-0x0000000000F04000-memory.dmp

memory/3224-102-0x0000000000C50000-0x0000000000F04000-memory.dmp

memory/2528-103-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-104-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-105-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-106-0x0000000000680000-0x000000000099C000-memory.dmp

memory/3672-108-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-109-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-110-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-111-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-112-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-113-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-114-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2072-116-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-117-0x0000000000680000-0x000000000099C000-memory.dmp

memory/2528-118-0x0000000000680000-0x000000000099C000-memory.dmp