Analysis Overview
SHA256
77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf
Threat Level: Known bad
The file 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
Amadey
Amadey family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Uses browser remote debugging
Downloads MZ/PE file
Checks BIOS information in registry
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Identifies Wine through registry keys
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-12 13:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 13:40
Reported
2024-11-12 13:42
Platform
win7-20240903-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Amadey
Amadey family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\38ffdc0294.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005752001\\38ffdc0294.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\897786c1fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005754001\\897786c1fd.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsJJJJDAAECG.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2764 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe
"C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
"C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bf9758,0x7fef6bf9768,0x7fef6bf9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1308 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1396 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1992 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2000 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe
"C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3320 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsJJJJDAAECG.exe"
C:\Users\Admin\DocumentsJJJJDAAECG.exe
"C:\Users\Admin\DocumentsJJJJDAAECG.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp |
Files
memory/2112-0-0x00000000001D0000-0x00000000004E7000-memory.dmp
memory/2112-1-0x0000000077570000-0x0000000077572000-memory.dmp
memory/2112-2-0x00000000001D1000-0x0000000000239000-memory.dmp
memory/2112-3-0x00000000001D0000-0x00000000004E7000-memory.dmp
memory/2112-4-0x00000000001D0000-0x00000000004E7000-memory.dmp
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | d2bb2a25108b9a225c896fd5c0e469c0 |
| SHA1 | 390c5a3c07adfaa98c4654830e5fff7217adc7ff |
| SHA256 | 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf |
| SHA512 | 6489c0553932f3391b3c0af5d0e9894a0938c77bfd7b8c2e01f0c5e13d8ad79789a93d81e5564cf7c5508d1ce21743b2f2af3f0285c9d9ae9632870d1896b86c |
memory/2112-15-0x00000000001D0000-0x00000000004E7000-memory.dmp
memory/2764-17-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2112-19-0x00000000001D1000-0x0000000000239000-memory.dmp
memory/2112-18-0x0000000006360000-0x0000000006677000-memory.dmp
memory/2112-14-0x00000000001D0000-0x00000000004E7000-memory.dmp
memory/2764-21-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-20-0x0000000000C51000-0x0000000000CB9000-memory.dmp
memory/2764-22-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-24-0x0000000000C50000-0x0000000000F67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
| MD5 | 25b574f2239f60ad04f625eee5216745 |
| SHA1 | 2cdb1245e4149fc829e1b4250ff8331daa61179f |
| SHA256 | 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972 |
| SHA512 | 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82 |
memory/2764-40-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-42-0x0000000006710000-0x0000000006DAB000-memory.dmp
memory/2764-44-0x0000000000C51000-0x0000000000CB9000-memory.dmp
memory/2764-43-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-46-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-45-0x0000000006710000-0x0000000006DAB000-memory.dmp
memory/1104-47-0x00000000013D0000-0x0000000001A6B000-memory.dmp
memory/2764-48-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-53-0x00000000060F0000-0x0000000006407000-memory.dmp
memory/2032-55-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-57-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-58-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-61-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1104-64-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2032-62-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-82-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2032-81-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-79-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2032-76-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-88-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-87-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-86-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-85-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-84-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-90-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-89-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-95-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-94-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-93-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-92-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-91-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-113-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-112-0x0000000000400000-0x0000000000A9B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
\??\pipe\crashpad_2220_BKEXRPRDICAAKUQM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2032-111-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-110-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-109-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-108-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-107-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-106-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-105-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-104-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-103-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-102-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-101-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-100-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-99-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-98-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-97-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2032-96-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/2764-155-0x0000000006710000-0x0000000006DAB000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe
| MD5 | 079d8ff64998ac428f4860a3ed06ba5b |
| SHA1 | 38232293df478df95afc960ea74a9b974ac67818 |
| SHA256 | 44a5915b16812fcffbcb574f5f06e7421ad9e802d95ceef4a6b0664baf18e39f |
| SHA512 | b46923a74db8ea2557efe678fa10a1b5778656755ff24776405efb7585b8fce31b8561e5ce01c9820ff27ce700191f4ba2d8d1acb9c7cad3d5b6ae6d078c3d1a |
memory/1104-174-0x00000000013D0000-0x0000000001A6B000-memory.dmp
memory/2764-173-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/1104-175-0x00000000013D0000-0x0000000001A6B000-memory.dmp
memory/2764-180-0x00000000060F0000-0x00000000063A4000-memory.dmp
memory/2900-183-0x0000000000DB0000-0x0000000001064000-memory.dmp
memory/2764-182-0x00000000060F0000-0x0000000006407000-memory.dmp
memory/2900-187-0x0000000000DB0000-0x0000000001064000-memory.dmp
memory/2900-188-0x0000000000DB0000-0x0000000001064000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2764-228-0x0000000000C50000-0x0000000000F67000-memory.dmp
memory/2764-230-0x00000000060F0000-0x00000000063A4000-memory.dmp
\Users\Admin\DocumentsJJJJDAAECG.exe
| MD5 | 5d92c01d9d2a15e0f55433b1cf43cdd0 |
| SHA1 | 4e97c35531f8008db3acdccc81cdc1421cc6a278 |
| SHA256 | 7877786569d0683af4f6e8e95dd58d92e36cb0e8c164c11dbd7c9ca652380978 |
| SHA512 | 4c02ad5befea2d11ca07750f8bb91e2cd32783a7ebea8c61f81de6abb9b72af74b2aa42ca3f5681f0b7d8ba7b6ae97aaa91009ca88573d79b3178da472129c70 |
memory/2900-237-0x0000000000DB0000-0x0000000001064000-memory.dmp
memory/2256-238-0x0000000001010000-0x0000000001335000-memory.dmp
memory/1104-240-0x00000000013D0000-0x0000000001A6B000-memory.dmp
memory/2256-242-0x0000000001010000-0x0000000001335000-memory.dmp
memory/2900-245-0x0000000000DB0000-0x0000000001064000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 13:40
Reported
2024-11-12 13:42
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2072 created 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | C:\Windows\Explorer.EXE |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d128cadf2f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005752001\\d128cadf2f.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d1634517f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005754001\\5d1634517f.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe |
| PID 2072 set thread context of 3944 | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif |
| PID 2072 set thread context of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\AolYour | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\FundraisingEssentials | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\VisibilityImplied | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\ScholarshipsReplication | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\StudioEdt | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\MetaMilfs | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File opened for modification | C:\Windows\GuitarSad | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| File opened for modification | C:\Windows\SkirtFunctions | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe
"C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe
"C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Uh Uh.cmd & Uh.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 27375
C:\Windows\SysWOW64\findstr.exe
findstr /V "optimizationsquarerehabseq" Tech
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Maintained + ..\Bryan + ..\Ace + ..\Stored + ..\Concerts + ..\Tiny + ..\Simplified G
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
Lovely.pif G
C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Total" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "ZenFlow" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Total" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe
"C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe
"C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe"
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dev-marcepan.grupa-abs.pl | udp |
| PL | 212.87.244.196:443 | dev-marcepan.grupa-abs.pl | tcp |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e6.o.lencr.org | udp |
| GB | 2.23.210.82:80 | e6.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.244.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ZByrsnSvAcGEaDRNGjI.ZByrsnSvAcGEaDRNGjI | udp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frogmen-smell.sbs | udp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 172.67.198.129:443 | thicktoys.sbs | tcp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 8.8.8.8:53 | 133.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.198.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 104.21.7.31:443 | pull-trucker.sbs | tcp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 172.67.173.191:443 | 3xc1aimbl0w.sbs | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.7.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 104.21.68.80:443 | bored-light.sbs | tcp |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 104.21.8.62:443 | 300snails.sbs | tcp |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 104.21.96.94:443 | faintbl0w.sbs | tcp |
| US | 8.8.8.8:53 | 80.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.8.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 94.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.82.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 172.67.198.129:443 | thicktoys.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 104.21.7.31:443 | pull-trucker.sbs | tcp |
| US | 172.67.173.191:443 | 3xc1aimbl0w.sbs | tcp |
| US | 104.21.68.80:443 | bored-light.sbs | tcp |
| US | 104.21.8.62:443 | 300snails.sbs | tcp |
| US | 104.21.96.94:443 | faintbl0w.sbs | tcp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
Files
memory/1620-0-0x0000000000870000-0x0000000000B87000-memory.dmp
memory/1620-1-0x0000000077B74000-0x0000000077B76000-memory.dmp
memory/1620-2-0x0000000000871000-0x00000000008D9000-memory.dmp
memory/1620-3-0x0000000000870000-0x0000000000B87000-memory.dmp
memory/1620-5-0x0000000000870000-0x0000000000B87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | d2bb2a25108b9a225c896fd5c0e469c0 |
| SHA1 | 390c5a3c07adfaa98c4654830e5fff7217adc7ff |
| SHA256 | 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf |
| SHA512 | 6489c0553932f3391b3c0af5d0e9894a0938c77bfd7b8c2e01f0c5e13d8ad79789a93d81e5564cf7c5508d1ce21743b2f2af3f0285c9d9ae9632870d1896b86c |
memory/1620-15-0x0000000000870000-0x0000000000B87000-memory.dmp
memory/1980-18-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/1620-17-0x0000000000871000-0x00000000008D9000-memory.dmp
memory/1980-23-0x0000000005530000-0x0000000005531000-memory.dmp
memory/1980-24-0x0000000000D71000-0x0000000000DD9000-memory.dmp
memory/1980-22-0x0000000005510000-0x0000000005511000-memory.dmp
memory/1980-21-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/1980-20-0x0000000005520000-0x0000000005521000-memory.dmp
memory/1980-19-0x0000000005540000-0x0000000005541000-memory.dmp
memory/1980-25-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/1980-26-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/1980-27-0x0000000000D70000-0x0000000001087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe
| MD5 | bd9ea2886936f3013285b983c3c1537e |
| SHA1 | c92073e3457e9fc787a2c2757745e92c949a0668 |
| SHA256 | bb653dddd858f686a07ac236a6098d9da8dcb8524aedc8da2cb5a6f084cbfebc |
| SHA512 | 6cd0fdd4d89edb60ffae53f0245d188b8400d71ff2d0fdfba7e0255c2e6a94d327fe5b290abe984022652a7f2875bdbf33b82dcff9b30ed7fa0cb0591e68275a |
C:\Users\Admin\AppData\Local\Temp\Uh
| MD5 | a26452a5a6b681e1680ff91ddcfa2c5c |
| SHA1 | 7fe7878abf2f3d5ec30bac96bb32db574416edb5 |
| SHA256 | 717fb7062ce364fbb54c89e1aba5a0de1e3bf3bc239b6c6cdc4972aa6f96fee3 |
| SHA512 | 8a3e5ab0aef13f066280d58063af9a34a9df2053dc417224c57ffa7a174e9ab253ca38efba4753c18d2e1130f8a60a030713b4446c44472e71335386e93f4e08 |
memory/1980-96-0x0000000000D70000-0x0000000001087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tech
| MD5 | c190bf2940b6c8bca86355ca1f5d100f |
| SHA1 | 1b6694187b834041aa2e3577e47ebdfebd9dc9de |
| SHA256 | 24c658f99200081bceae83740631ab7326b8a328f23364104c9e534d191ffb28 |
| SHA512 | 01a253b228778be835e619b8b1f4e08ed22c095cd7e935421065bef0acd91fd6089f4b6d3edaa43aa7bdf73d127e7af312feb0a7c0035aedbce48486b334326d |
C:\Users\Admin\AppData\Local\Temp\Advertiser
| MD5 | b2f00d6517111c40a399acc3193a9847 |
| SHA1 | 6c754fc2edb87e6d29b6d5938a7710e6a17c5201 |
| SHA256 | f3df9dd5028e882d651cc871a673f9811b15114e8915375b93bc72b6b93e2733 |
| SHA512 | 1855cd164f00f201105abf906ca4d9acb48adc4c3cde7cb4e1e86293d8b0bb95f3e6d73742102f0cfd030746497be80383abf47c499cd5b91cc0342f0ced2ebf |
C:\Users\Admin\AppData\Local\Temp\Maintained
| MD5 | 02efef57945fdfa1228bb81d764fcaa9 |
| SHA1 | 3544c446eba2ea13df24eaee4854bd9ec50eb911 |
| SHA256 | a843a39f214722b5e878a6c29114b9e71efe5842147f2e79dfa48ae762430679 |
| SHA512 | 67e15b531213cb19080a26ba61281ddc9db5e1a8f1125241d34eca4097cf020081827d3f63c49b3ac6d4b1e651c0bf7af0c96f461d312470e5946830d974ff7d |
C:\Users\Admin\AppData\Local\Temp\Bryan
| MD5 | 2b8f2f734ba41de74b0f2ad8c4635807 |
| SHA1 | c8fde4793ee88811482aa8b8810505fcf978c185 |
| SHA256 | d62ef368aca33c0c7503b469a5701919cc8524310c624182f5243c913d33ca70 |
| SHA512 | 6e6bbc71fc96d7f364ddbfb2165f8e6fc7875e966b36bfcaa622a37f70e59bc571d446ed934d1805e9d70db2fbd93fa8594bb972a1ee8e3f46da39894b887191 |
C:\Users\Admin\AppData\Local\Temp\Ace
| MD5 | a2051ab029f76a13f21d1ee9e1d13fdb |
| SHA1 | f6d2ce4554d8aa45623b4474a36cba2e2f55dbb5 |
| SHA256 | 6c9a4bce60a8b019f5b74cc9861ed3da801ecc7127e4fb8199ff310274e6a6db |
| SHA512 | ece6bfcc0d17c9cf06058db6df98de618892ee416f89024e20bed27a387cbebc7158e1db51133f66d1aef6fcc07c4c1f97bd5d821f2638d614f85f7d08e3e95c |
C:\Users\Admin\AppData\Local\Temp\Stored
| MD5 | 4968ca19c1e07ca817149225f5fdae4a |
| SHA1 | 5eb15169a968ea921edf0a88cb2a0f501ad108c1 |
| SHA256 | 144ad9f5e00905fe457459e5501b341e1523d37c6a5947efe2a12e01c103ca21 |
| SHA512 | 9fbb0e5b0c27ee7770cdc51e5d249cd522dbd4fa8d87e20d9d253ec4bd6dbc18f4b4433fec415bf1dd42801ed5466624cde34b481533d898905aef506cd77c00 |
C:\Users\Admin\AppData\Local\Temp\Concerts
| MD5 | 8d1261afc55e57b8e4d1fbd56fa3c609 |
| SHA1 | cd872e347a2c66f7d4549092362a8db6d2674a30 |
| SHA256 | d5d97b1f80d3680d5177cecb173bb7032379e7e8afa4763a09b7cc00b511ea8c |
| SHA512 | a1a5f4b18d59bf89a9af298b7d8c5273d14f73094230be4e71efb05b3d940e68ef48a4e043ca11cda579a13d6091dc42e763443d9d8636ae9ad1d8f1102aa79b |
C:\Users\Admin\AppData\Local\Temp\Tiny
| MD5 | 45bc518ce494d5b80c2b6af80adff8bb |
| SHA1 | 7defa2817736bacca12072ca858d61064bbde5a3 |
| SHA256 | 0cd19abfc3719aaf60e84529980afb15b58e753980b9d089dff32913a9b8e88b |
| SHA512 | a12cad7b9f58d2897b46c9bbfc361c861f2586177e8a1cbadb74d1b33d32e7a71af69e123bf7d807a4ec39e54cf1414663a508979b23b4c36344a52d481f2f5f |
C:\Users\Admin\AppData\Local\Temp\Simplified
| MD5 | e2fa682e3bbba82ad68e3a8770751da2 |
| SHA1 | 2a22006385ee1386d8ab359e45794e043ea73845 |
| SHA256 | f5c0563e8cb841e8ca1b1480eb512334f1a9c4f0172a21d39514c37d4c6eb8af |
| SHA512 | b829346501967a932fa72b41d19687217ca042fe8fee5d92f3361f32057c0aae011b6457d30dcf030ba7a2ca2e6613182edc79f91f2e560233dda26fb0717994 |
C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\27375\G
| MD5 | 4119ef62bcd358ce3eeb9242067b201b |
| SHA1 | 5d4d94fd119aa6223af089b174c0cf475dbfd7a7 |
| SHA256 | 10bcb2925540219372c72f31dd5766be5850ff2a993ada75f73c8ab429aea077 |
| SHA512 | 1b98598039373301cdea25615889b303526ec14b25a34db978f2ed0d5fdfa8e9a6d2d4fec0ff814de6c6482808f2c99593d542f12b14af8e0450c6f48191c890 |
memory/1980-357-0x0000000000D71000-0x0000000000DD9000-memory.dmp
memory/1980-358-0x0000000000D70000-0x0000000001087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe
| MD5 | 25b574f2239f60ad04f625eee5216745 |
| SHA1 | 2cdb1245e4149fc829e1b4250ff8331daa61179f |
| SHA256 | 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972 |
| SHA512 | 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82 |
memory/1980-374-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/3620-375-0x00000000002C0000-0x000000000095B000-memory.dmp
memory/1980-376-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/3620-377-0x00000000002C0000-0x000000000095B000-memory.dmp
memory/5020-381-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-379-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-382-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-393-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-390-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-394-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-392-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-391-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-389-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-388-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-386-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-385-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-383-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-387-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-384-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-396-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-405-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-400-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-399-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-398-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-397-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-395-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-404-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-406-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-410-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-411-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-409-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-408-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-407-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-403-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-402-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-401-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/5020-412-0x0000000000400000-0x0000000000A9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe
| MD5 | 079d8ff64998ac428f4860a3ed06ba5b |
| SHA1 | 38232293df478df95afc960ea74a9b974ac67818 |
| SHA256 | 44a5915b16812fcffbcb574f5f06e7421ad9e802d95ceef4a6b0664baf18e39f |
| SHA512 | b46923a74db8ea2557efe678fa10a1b5778656755ff24776405efb7585b8fce31b8561e5ce01c9820ff27ce700191f4ba2d8d1acb9c7cad3d5b6ae6d078c3d1a |
memory/4388-455-0x0000000000950000-0x0000000000C04000-memory.dmp
memory/1980-456-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/4388-457-0x0000000000950000-0x0000000000C04000-memory.dmp
memory/4388-458-0x0000000000950000-0x0000000000C04000-memory.dmp
memory/3944-466-0x00000000014A0000-0x00000000014F6000-memory.dmp
memory/4388-468-0x0000000000950000-0x0000000000C04000-memory.dmp
memory/3944-469-0x00000000014A0000-0x00000000014F6000-memory.dmp
memory/3944-471-0x00000000014A0000-0x00000000014F6000-memory.dmp
memory/4388-475-0x0000000000950000-0x0000000000C04000-memory.dmp
memory/4536-478-0x0000000000D70000-0x0000000001087000-memory.dmp
memory/2300-491-0x0000000000D70000-0x0000000001087000-memory.dmp