Malware Analysis Report

2024-12-07 17:34

Sample ID 241112-qylwzsteqp
Target 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf
SHA256 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf
Tags
amadey 9c9aa5 credential_access discovery evasion persistence spyware stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf

Threat Level: Known bad

The file 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf was found to be: Known bad.

Malicious Activity Summary

amadey 9c9aa5 credential_access discovery evasion persistence spyware stealer trojan lumma

Lumma family

Lumma Stealer, LummaC

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

Amadey

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Uses browser remote debugging

Downloads MZ/PE file

Checks BIOS information in registry

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:40

Reported

2024-11-12 13:42

Platform

win7-20240903-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\DocumentsJJJJDAAECG.exe N/A

Downloads MZ/PE file

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\DocumentsJJJJDAAECG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\DocumentsJJJJDAAECG.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\DocumentsJJJJDAAECG.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\38ffdc0294.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005752001\\38ffdc0294.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\897786c1fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005754001\\897786c1fd.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2764 set thread context of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2112 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2112 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2112 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
PID 2764 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
PID 2764 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
PID 2764 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1104 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1104 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2764 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2220 wrote to memory of 2368 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 2368 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 2368 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2220 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2220 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2220 wrote to memory of 1576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe

"C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe

"C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bf9758,0x7fef6bf9768,0x7fef6bf9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1308 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1396 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1992 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2000 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe

"C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3320 --field-trial-handle=2164,i,4916013783829915813,14486578171456966773,131072 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsJJJJDAAECG.exe"

C:\Users\Admin\DocumentsJJJJDAAECG.exe

"C:\Users\Admin\DocumentsJJJJDAAECG.exe"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp

Files

memory/2112-0-0x00000000001D0000-0x00000000004E7000-memory.dmp

memory/2112-1-0x0000000077570000-0x0000000077572000-memory.dmp

memory/2112-2-0x00000000001D1000-0x0000000000239000-memory.dmp

memory/2112-3-0x00000000001D0000-0x00000000004E7000-memory.dmp

memory/2112-4-0x00000000001D0000-0x00000000004E7000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 d2bb2a25108b9a225c896fd5c0e469c0
SHA1 390c5a3c07adfaa98c4654830e5fff7217adc7ff
SHA256 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf
SHA512 6489c0553932f3391b3c0af5d0e9894a0938c77bfd7b8c2e01f0c5e13d8ad79789a93d81e5564cf7c5508d1ce21743b2f2af3f0285c9d9ae9632870d1896b86c

memory/2112-15-0x00000000001D0000-0x00000000004E7000-memory.dmp

memory/2764-17-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2112-19-0x00000000001D1000-0x0000000000239000-memory.dmp

memory/2112-18-0x0000000006360000-0x0000000006677000-memory.dmp

memory/2112-14-0x00000000001D0000-0x00000000004E7000-memory.dmp

memory/2764-21-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-20-0x0000000000C51000-0x0000000000CB9000-memory.dmp

memory/2764-22-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-24-0x0000000000C50000-0x0000000000F67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005752001\38ffdc0294.exe

MD5 25b574f2239f60ad04f625eee5216745
SHA1 2cdb1245e4149fc829e1b4250ff8331daa61179f
SHA256 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972
SHA512 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82

memory/2764-40-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-42-0x0000000006710000-0x0000000006DAB000-memory.dmp

memory/2764-44-0x0000000000C51000-0x0000000000CB9000-memory.dmp

memory/2764-43-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-46-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-45-0x0000000006710000-0x0000000006DAB000-memory.dmp

memory/1104-47-0x00000000013D0000-0x0000000001A6B000-memory.dmp

memory/2764-48-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-53-0x00000000060F0000-0x0000000006407000-memory.dmp

memory/2032-55-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-57-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-58-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-61-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/1104-64-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2032-62-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-82-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2032-81-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-79-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2032-76-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-88-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-87-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-86-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-85-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-84-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-90-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-89-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-95-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-94-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-93-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-92-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-91-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-113-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-112-0x0000000000400000-0x0000000000A9B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

\??\pipe\crashpad_2220_BKEXRPRDICAAKUQM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2032-111-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-110-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-109-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-108-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-107-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-106-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-105-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-104-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-103-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-102-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-101-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-100-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-99-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-98-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-97-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2032-96-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/2764-155-0x0000000006710000-0x0000000006DAB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\1005754001\897786c1fd.exe

MD5 079d8ff64998ac428f4860a3ed06ba5b
SHA1 38232293df478df95afc960ea74a9b974ac67818
SHA256 44a5915b16812fcffbcb574f5f06e7421ad9e802d95ceef4a6b0664baf18e39f
SHA512 b46923a74db8ea2557efe678fa10a1b5778656755ff24776405efb7585b8fce31b8561e5ce01c9820ff27ce700191f4ba2d8d1acb9c7cad3d5b6ae6d078c3d1a

memory/1104-174-0x00000000013D0000-0x0000000001A6B000-memory.dmp

memory/2764-173-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/1104-175-0x00000000013D0000-0x0000000001A6B000-memory.dmp

memory/2764-180-0x00000000060F0000-0x00000000063A4000-memory.dmp

memory/2900-183-0x0000000000DB0000-0x0000000001064000-memory.dmp

memory/2764-182-0x00000000060F0000-0x0000000006407000-memory.dmp

memory/2900-187-0x0000000000DB0000-0x0000000001064000-memory.dmp

memory/2900-188-0x0000000000DB0000-0x0000000001064000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2764-228-0x0000000000C50000-0x0000000000F67000-memory.dmp

memory/2764-230-0x00000000060F0000-0x00000000063A4000-memory.dmp

\Users\Admin\DocumentsJJJJDAAECG.exe

MD5 5d92c01d9d2a15e0f55433b1cf43cdd0
SHA1 4e97c35531f8008db3acdccc81cdc1421cc6a278
SHA256 7877786569d0683af4f6e8e95dd58d92e36cb0e8c164c11dbd7c9ca652380978
SHA512 4c02ad5befea2d11ca07750f8bb91e2cd32783a7ebea8c61f81de6abb9b72af74b2aa42ca3f5681f0b7d8ba7b6ae97aaa91009ca88573d79b3178da472129c70

memory/2900-237-0x0000000000DB0000-0x0000000001064000-memory.dmp

memory/2256-238-0x0000000001010000-0x0000000001335000-memory.dmp

memory/1104-240-0x00000000013D0000-0x0000000001A6B000-memory.dmp

memory/2256-242-0x0000000001010000-0x0000000001335000-memory.dmp

memory/2900-245-0x0000000000DB0000-0x0000000001064000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 13:40

Reported

2024-11-12 13:42

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2072 created 3448 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d128cadf2f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005752001\\d128cadf2f.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d1634517f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005754001\\5d1634517f.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\AolYour C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\FundraisingEssentials C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\VisibilityImplied C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\ScholarshipsReplication C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\StudioEdt C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\MetaMilfs C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File opened for modification C:\Windows\GuitarSad C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
File opened for modification C:\Windows\SkirtFunctions C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1620 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1620 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe
PID 2948 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3584 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
PID 3584 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
PID 3584 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif
PID 3584 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3584 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3584 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2072 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\schtasks.exe
PID 2072 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\schtasks.exe
PID 2072 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe
PID 1980 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe
PID 1980 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1980 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe
PID 1980 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe
PID 1980 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe
PID 2072 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe

"C:\Users\Admin\AppData\Local\Temp\77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe

"C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Uh Uh.cmd & Uh.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 27375

C:\Windows\SysWOW64\findstr.exe

findstr /V "optimizationsquarerehabseq" Tech

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Maintained + ..\Bryan + ..\Ace + ..\Stored + ..\Concerts + ..\Tiny + ..\Simplified G

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

Lovely.pif G

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Total" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ZenFlow" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Total" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FlowZen Dynamics\ZenFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe

"C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe

"C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe"

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dev-marcepan.grupa-abs.pl udp
PL 212.87.244.196:443 dev-marcepan.grupa-abs.pl tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 196.244.87.212.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 ZByrsnSvAcGEaDRNGjI.ZByrsnSvAcGEaDRNGjI udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 frogmen-smell.sbs udp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 172.67.198.129:443 thicktoys.sbs tcp
US 8.8.8.8:53 fleez-inc.sbs udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 8.8.8.8:53 133.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 129.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 pull-trucker.sbs udp
US 104.21.7.31:443 pull-trucker.sbs tcp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 172.67.173.191:443 3xc1aimbl0w.sbs tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 243.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 bored-light.sbs udp
US 104.21.68.80:443 bored-light.sbs tcp
US 8.8.8.8:53 300snails.sbs udp
US 104.21.8.62:443 300snails.sbs tcp
US 8.8.8.8:53 faintbl0w.sbs udp
US 104.21.96.94:443 faintbl0w.sbs tcp
US 8.8.8.8:53 80.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 191.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 172.67.144.50:443 crib-endanger.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 94.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 50.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 marshal-zhukov.com udp
US 104.21.82.174:443 marshal-zhukov.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 174.82.21.104.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 172.67.198.129:443 thicktoys.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 104.21.7.31:443 pull-trucker.sbs tcp
US 172.67.173.191:443 3xc1aimbl0w.sbs tcp
US 104.21.68.80:443 bored-light.sbs tcp
US 104.21.8.62:443 300snails.sbs tcp
US 104.21.96.94:443 faintbl0w.sbs tcp
US 172.67.144.50:443 crib-endanger.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp

Files

memory/1620-0-0x0000000000870000-0x0000000000B87000-memory.dmp

memory/1620-1-0x0000000077B74000-0x0000000077B76000-memory.dmp

memory/1620-2-0x0000000000871000-0x00000000008D9000-memory.dmp

memory/1620-3-0x0000000000870000-0x0000000000B87000-memory.dmp

memory/1620-5-0x0000000000870000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 d2bb2a25108b9a225c896fd5c0e469c0
SHA1 390c5a3c07adfaa98c4654830e5fff7217adc7ff
SHA256 77f5978fcc4dc1dda5bae6cfba8ecc829e79c5332a9143194e1687e384f7f6bf
SHA512 6489c0553932f3391b3c0af5d0e9894a0938c77bfd7b8c2e01f0c5e13d8ad79789a93d81e5564cf7c5508d1ce21743b2f2af3f0285c9d9ae9632870d1896b86c

memory/1620-15-0x0000000000870000-0x0000000000B87000-memory.dmp

memory/1980-18-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/1620-17-0x0000000000871000-0x00000000008D9000-memory.dmp

memory/1980-23-0x0000000005530000-0x0000000005531000-memory.dmp

memory/1980-24-0x0000000000D71000-0x0000000000DD9000-memory.dmp

memory/1980-22-0x0000000005510000-0x0000000005511000-memory.dmp

memory/1980-21-0x00000000031F0000-0x00000000031F1000-memory.dmp

memory/1980-20-0x0000000005520000-0x0000000005521000-memory.dmp

memory/1980-19-0x0000000005540000-0x0000000005541000-memory.dmp

memory/1980-25-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/1980-26-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/1980-27-0x0000000000D70000-0x0000000001087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005627001\oi.exe

MD5 bd9ea2886936f3013285b983c3c1537e
SHA1 c92073e3457e9fc787a2c2757745e92c949a0668
SHA256 bb653dddd858f686a07ac236a6098d9da8dcb8524aedc8da2cb5a6f084cbfebc
SHA512 6cd0fdd4d89edb60ffae53f0245d188b8400d71ff2d0fdfba7e0255c2e6a94d327fe5b290abe984022652a7f2875bdbf33b82dcff9b30ed7fa0cb0591e68275a

C:\Users\Admin\AppData\Local\Temp\Uh

MD5 a26452a5a6b681e1680ff91ddcfa2c5c
SHA1 7fe7878abf2f3d5ec30bac96bb32db574416edb5
SHA256 717fb7062ce364fbb54c89e1aba5a0de1e3bf3bc239b6c6cdc4972aa6f96fee3
SHA512 8a3e5ab0aef13f066280d58063af9a34a9df2053dc417224c57ffa7a174e9ab253ca38efba4753c18d2e1130f8a60a030713b4446c44472e71335386e93f4e08

memory/1980-96-0x0000000000D70000-0x0000000001087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tech

MD5 c190bf2940b6c8bca86355ca1f5d100f
SHA1 1b6694187b834041aa2e3577e47ebdfebd9dc9de
SHA256 24c658f99200081bceae83740631ab7326b8a328f23364104c9e534d191ffb28
SHA512 01a253b228778be835e619b8b1f4e08ed22c095cd7e935421065bef0acd91fd6089f4b6d3edaa43aa7bdf73d127e7af312feb0a7c0035aedbce48486b334326d

C:\Users\Admin\AppData\Local\Temp\Advertiser

MD5 b2f00d6517111c40a399acc3193a9847
SHA1 6c754fc2edb87e6d29b6d5938a7710e6a17c5201
SHA256 f3df9dd5028e882d651cc871a673f9811b15114e8915375b93bc72b6b93e2733
SHA512 1855cd164f00f201105abf906ca4d9acb48adc4c3cde7cb4e1e86293d8b0bb95f3e6d73742102f0cfd030746497be80383abf47c499cd5b91cc0342f0ced2ebf

C:\Users\Admin\AppData\Local\Temp\Maintained

MD5 02efef57945fdfa1228bb81d764fcaa9
SHA1 3544c446eba2ea13df24eaee4854bd9ec50eb911
SHA256 a843a39f214722b5e878a6c29114b9e71efe5842147f2e79dfa48ae762430679
SHA512 67e15b531213cb19080a26ba61281ddc9db5e1a8f1125241d34eca4097cf020081827d3f63c49b3ac6d4b1e651c0bf7af0c96f461d312470e5946830d974ff7d

C:\Users\Admin\AppData\Local\Temp\Bryan

MD5 2b8f2f734ba41de74b0f2ad8c4635807
SHA1 c8fde4793ee88811482aa8b8810505fcf978c185
SHA256 d62ef368aca33c0c7503b469a5701919cc8524310c624182f5243c913d33ca70
SHA512 6e6bbc71fc96d7f364ddbfb2165f8e6fc7875e966b36bfcaa622a37f70e59bc571d446ed934d1805e9d70db2fbd93fa8594bb972a1ee8e3f46da39894b887191

C:\Users\Admin\AppData\Local\Temp\Ace

MD5 a2051ab029f76a13f21d1ee9e1d13fdb
SHA1 f6d2ce4554d8aa45623b4474a36cba2e2f55dbb5
SHA256 6c9a4bce60a8b019f5b74cc9861ed3da801ecc7127e4fb8199ff310274e6a6db
SHA512 ece6bfcc0d17c9cf06058db6df98de618892ee416f89024e20bed27a387cbebc7158e1db51133f66d1aef6fcc07c4c1f97bd5d821f2638d614f85f7d08e3e95c

C:\Users\Admin\AppData\Local\Temp\Stored

MD5 4968ca19c1e07ca817149225f5fdae4a
SHA1 5eb15169a968ea921edf0a88cb2a0f501ad108c1
SHA256 144ad9f5e00905fe457459e5501b341e1523d37c6a5947efe2a12e01c103ca21
SHA512 9fbb0e5b0c27ee7770cdc51e5d249cd522dbd4fa8d87e20d9d253ec4bd6dbc18f4b4433fec415bf1dd42801ed5466624cde34b481533d898905aef506cd77c00

C:\Users\Admin\AppData\Local\Temp\Concerts

MD5 8d1261afc55e57b8e4d1fbd56fa3c609
SHA1 cd872e347a2c66f7d4549092362a8db6d2674a30
SHA256 d5d97b1f80d3680d5177cecb173bb7032379e7e8afa4763a09b7cc00b511ea8c
SHA512 a1a5f4b18d59bf89a9af298b7d8c5273d14f73094230be4e71efb05b3d940e68ef48a4e043ca11cda579a13d6091dc42e763443d9d8636ae9ad1d8f1102aa79b

C:\Users\Admin\AppData\Local\Temp\Tiny

MD5 45bc518ce494d5b80c2b6af80adff8bb
SHA1 7defa2817736bacca12072ca858d61064bbde5a3
SHA256 0cd19abfc3719aaf60e84529980afb15b58e753980b9d089dff32913a9b8e88b
SHA512 a12cad7b9f58d2897b46c9bbfc361c861f2586177e8a1cbadb74d1b33d32e7a71af69e123bf7d807a4ec39e54cf1414663a508979b23b4c36344a52d481f2f5f

C:\Users\Admin\AppData\Local\Temp\Simplified

MD5 e2fa682e3bbba82ad68e3a8770751da2
SHA1 2a22006385ee1386d8ab359e45794e043ea73845
SHA256 f5c0563e8cb841e8ca1b1480eb512334f1a9c4f0172a21d39514c37d4c6eb8af
SHA512 b829346501967a932fa72b41d19687217ca042fe8fee5d92f3361f32057c0aae011b6457d30dcf030ba7a2ca2e6613182edc79f91f2e560233dda26fb0717994

C:\Users\Admin\AppData\Local\Temp\27375\Lovely.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\27375\G

MD5 4119ef62bcd358ce3eeb9242067b201b
SHA1 5d4d94fd119aa6223af089b174c0cf475dbfd7a7
SHA256 10bcb2925540219372c72f31dd5766be5850ff2a993ada75f73c8ab429aea077
SHA512 1b98598039373301cdea25615889b303526ec14b25a34db978f2ed0d5fdfa8e9a6d2d4fec0ff814de6c6482808f2c99593d542f12b14af8e0450c6f48191c890

memory/1980-357-0x0000000000D71000-0x0000000000DD9000-memory.dmp

memory/1980-358-0x0000000000D70000-0x0000000001087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005752001\d128cadf2f.exe

MD5 25b574f2239f60ad04f625eee5216745
SHA1 2cdb1245e4149fc829e1b4250ff8331daa61179f
SHA256 535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972
SHA512 13747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82

memory/1980-374-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/3620-375-0x00000000002C0000-0x000000000095B000-memory.dmp

memory/1980-376-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/3620-377-0x00000000002C0000-0x000000000095B000-memory.dmp

memory/5020-381-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-379-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-382-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-393-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-390-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-394-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-392-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-391-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-389-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-388-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-386-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-385-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-383-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-387-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-384-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-396-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-405-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-400-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-399-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-398-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-397-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-395-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-404-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-406-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-410-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-411-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-409-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-408-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-407-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-403-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-402-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-401-0x0000000000400000-0x0000000000A9B000-memory.dmp

memory/5020-412-0x0000000000400000-0x0000000000A9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005754001\5d1634517f.exe

MD5 079d8ff64998ac428f4860a3ed06ba5b
SHA1 38232293df478df95afc960ea74a9b974ac67818
SHA256 44a5915b16812fcffbcb574f5f06e7421ad9e802d95ceef4a6b0664baf18e39f
SHA512 b46923a74db8ea2557efe678fa10a1b5778656755ff24776405efb7585b8fce31b8561e5ce01c9820ff27ce700191f4ba2d8d1acb9c7cad3d5b6ae6d078c3d1a

memory/4388-455-0x0000000000950000-0x0000000000C04000-memory.dmp

memory/1980-456-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/4388-457-0x0000000000950000-0x0000000000C04000-memory.dmp

memory/4388-458-0x0000000000950000-0x0000000000C04000-memory.dmp

memory/3944-466-0x00000000014A0000-0x00000000014F6000-memory.dmp

memory/4388-468-0x0000000000950000-0x0000000000C04000-memory.dmp

memory/3944-469-0x00000000014A0000-0x00000000014F6000-memory.dmp

memory/3944-471-0x00000000014A0000-0x00000000014F6000-memory.dmp

memory/4388-475-0x0000000000950000-0x0000000000C04000-memory.dmp

memory/4536-478-0x0000000000D70000-0x0000000001087000-memory.dmp

memory/2300-491-0x0000000000D70000-0x0000000001087000-memory.dmp