amadey | 0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

Analysis

max time kernel
115s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.9MB
MD5

46c3863c4f153d69dbf4d5bfbbc90a73
SHA1

4fa6468cd70687385c225f1500ae570102a4e370
SHA256

0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
SHA512

2d09b274468cf1b6c289c94721b94699c81584763d378769473b14395da8492e853eaa971d94ffeb2988ca582ec347ed3c9fea9c74188a230a344c44eca88f36
SSDEEP

49152:hqfRikf1mVQKq9GM/4qQlc6eBhwMPsy1YtXA:hq5ikf1mVPq9J/ga6eBhwMP8

Score

10^/10

amadey lumma stealc xmrig 9c9aa5 stok credential_access discovery evasion miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://tacitglibbr.biz/api

https://immureprech.biz/api

https://deafeninggeh.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	24b84724d7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4efbc599c1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98386c18ad.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2008-688-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98386c18ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4efbc599c1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98386c18ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	24b84724d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	24b84724d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4efbc599c1.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	CZ5485WFZbkxx8er.exe

Executes dropped EXE 50 IoCs

pid	Process
2748	skotes.exe
1156	e147d7ff2e.exe
2752	ShtrayEasy35.exe
2628	CZ5485WFZbkxx8er.exe
800	5LFYQ2cxzYmFtiEp.exe
2800	mkTQxRWlbBDhngid.exe
1376	RqfYJFcucv8TCfbB.exe
2820	UkPawuibHrdwCXMi.exe
2832	v9WCCh1iRXHZGe6n.exe
668	4CAGv34p1ZEWwpej.exe
1080	SXtfSqpiayGQmoG9.exe
2664	giYFhERINGV4IqUE.exe
2068	4btu0ngM9bRjBhHy.exe
2500	8DJFDmio8Rtklj0t.exe
592	wri3bbe0NifjBnbf.exe
1676	2fb607d829.exe
1968	5361fe3f5e.exe
2520	reLuHlfc4rc65EWu.exe
684	SBj1VcMkwUzQ6sxO.exe
588	NfhS0hECaAltppQV.exe
3008	KCkKYg6VPudY3AqN.exe
1916	24b84724d7.exe
2860	9UKFuogwarNyUkKG.exe
3004	Fzy9UKvTOkBA8gmF.exe
2452	21YB9C5freNBN0Hg.exe
660	8i9l5admY5Kl33TB.exe
2956	4efbc599c1.exe
1924	169f6b3377.exe
2476	7z.exe
3012	EprkUsgtXqnayi32.exe
1156	7z.exe
1892	7z.exe
2912	HKBTelBMY2g9fpiz.exe
1520	98386c18ad.exe
2844	7z.exe
884	7z.exe
2672	7z.exe
3056	7z.exe
988	7z.exe
2464	3OcX0WZpP1wwmpcp.exe
2428	6i4zJkCnyN2p41iK.exe
2416	in.exe
2332	EEB6FrjVfAWcnQH4.exe
1728	dGnfmub6DnzCw1dd.exe
2816	2swC6asb1tIII3z1.exe
2672	DC2bsPtf9Hz2Thy3.exe
2588	4hmBoMuRz3hMo7ch.exe
2944	KJXuV6uZrJ5C3PFK.exe
2804	JbOVIpEalqbHNiEI.exe
2580	HOs97QLWF7wGwYwz.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	24b84724d7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	4efbc599c1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	98386c18ad.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	file.exe
2072	file.exe
2748	skotes.exe
2748	skotes.exe
2748	skotes.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2628	CZ5485WFZbkxx8er.exe
2752	ShtrayEasy35.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2748	skotes.exe
2752	ShtrayEasy35.exe
1268	WerFault.exe
2748	skotes.exe
2748	skotes.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2748	skotes.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2748	skotes.exe
2748	skotes.exe
2752	ShtrayEasy35.exe
904	cmd.exe
2476	7z.exe
904	cmd.exe
1156	7z.exe
904	cmd.exe
1892	7z.exe
904	cmd.exe
2748	skotes.exe
2748	skotes.exe
2844	7z.exe
904	cmd.exe
884	7z.exe
904	cmd.exe
2672	7z.exe
904	cmd.exe
3056	7z.exe
904	cmd.exe
988	7z.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
904	cmd.exe
904	cmd.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe
2752	ShtrayEasy35.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\169f6b3377.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015569001\\169f6b3377.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\98386c18ad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015570001\\98386c18ad.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZKCU059U\\CZ5485WFZbkxx8er.exe"	CZ5485WFZbkxx8er.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\24b84724d7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015567001\\24b84724d7.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\4efbc599c1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015568001\\4efbc599c1.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001bf13-480.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2072	file.exe
2748	skotes.exe
1916	24b84724d7.exe
2956	4efbc599c1.exe
1520	98386c18ad.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-574-0x000000013FD40000-0x00000001401D0000-memory.dmp	upx
behavioral1/memory/2416-678-0x000000013F980000-0x000000013FE10000-memory.dmp	upx
behavioral1/memory/2416-690-0x000000013F980000-0x000000013FE10000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1268	2664	WerFault.exe	47
2364	1488	WerFault.exe	51
2580	1912	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e147d7ff2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	169f6b3377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CZ5485WFZbkxx8er.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4efbc599c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sUWOErHQ3gyho12s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24b84724d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98386c18ad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	169f6b3377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PHwmDA0dcyRyCmtG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giYFhERINGV4IqUE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb607d829.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	169f6b3377.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1124	powershell.exe
1736	PING.EXE
2504	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e147d7ff2e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e147d7ff2e.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2880	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2368	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	24b84724d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	e147d7ff2e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e147d7ff2e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e147d7ff2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	24b84724d7.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1736	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	file.exe
2748	skotes.exe
1156	e147d7ff2e.exe
2752	ShtrayEasy35.exe
2628	CZ5485WFZbkxx8er.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
2800	mkTQxRWlbBDhngid.exe
1376	RqfYJFcucv8TCfbB.exe
800	5LFYQ2cxzYmFtiEp.exe
2820	UkPawuibHrdwCXMi.exe
2832	v9WCCh1iRXHZGe6n.exe
1080	SXtfSqpiayGQmoG9.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
668	4CAGv34p1ZEWwpej.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
1376	RqfYJFcucv8TCfbB.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
800	5LFYQ2cxzYmFtiEp.exe
2832	v9WCCh1iRXHZGe6n.exe
1080	SXtfSqpiayGQmoG9.exe
2820	UkPawuibHrdwCXMi.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
2832	v9WCCh1iRXHZGe6n.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
1080	SXtfSqpiayGQmoG9.exe
2820	UkPawuibHrdwCXMi.exe
2820	UkPawuibHrdwCXMi.exe
2820	UkPawuibHrdwCXMi.exe
2820	UkPawuibHrdwCXMi.exe
2820	UkPawuibHrdwCXMi.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	2476	7z.exe
Token: 35	2476	7z.exe
Token: SeSecurityPrivilege	2476	7z.exe
Token: SeSecurityPrivilege	2476	7z.exe
Token: SeRestorePrivilege	1156	7z.exe
Token: 35	1156	7z.exe
Token: SeSecurityPrivilege	1156	7z.exe
Token: SeSecurityPrivilege	1156	7z.exe
Token: SeRestorePrivilege	1892	7z.exe
Token: 35	1892	7z.exe
Token: SeSecurityPrivilege	1892	7z.exe
Token: SeSecurityPrivilege	1892	7z.exe
Token: SeRestorePrivilege	2844	7z.exe
Token: 35	2844	7z.exe
Token: SeSecurityPrivilege	2844	7z.exe
Token: SeSecurityPrivilege	2844	7z.exe
Token: SeRestorePrivilege	884	7z.exe
Token: 35	884	7z.exe
Token: SeSecurityPrivilege	884	7z.exe
Token: SeSecurityPrivilege	884	7z.exe
Token: SeRestorePrivilege	2672	7z.exe
Token: 35	2672	7z.exe
Token: SeSecurityPrivilege	2672	7z.exe
Token: SeSecurityPrivilege	2672	7z.exe
Token: SeRestorePrivilege	3056	7z.exe
Token: 35	3056	7z.exe
Token: SeSecurityPrivilege	3056	7z.exe
Token: SeSecurityPrivilege	3056	7z.exe
Token: SeRestorePrivilege	988	7z.exe
Token: 35	988	7z.exe
Token: SeSecurityPrivilege	988	7z.exe
Token: SeSecurityPrivilege	988	7z.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2368	taskkill.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2072	file.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe
1924	169f6b3377.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2748	2072	file.exe	30
PID 2072 wrote to memory of 2748	2072	file.exe	30
PID 2072 wrote to memory of 2748	2072	file.exe	30
PID 2072 wrote to memory of 2748	2072	file.exe	30
PID 2748 wrote to memory of 1156	2748	skotes.exe	32
PID 2748 wrote to memory of 1156	2748	skotes.exe	32
PID 2748 wrote to memory of 1156	2748	skotes.exe	32
PID 2748 wrote to memory of 1156	2748	skotes.exe	32
PID 1156 wrote to memory of 2464	1156	e147d7ff2e.exe	35
PID 1156 wrote to memory of 2464	1156	e147d7ff2e.exe	35
PID 1156 wrote to memory of 2464	1156	e147d7ff2e.exe	35
PID 1156 wrote to memory of 2464	1156	e147d7ff2e.exe	35
PID 2464 wrote to memory of 2880	2464	cmd.exe	37
PID 2464 wrote to memory of 2880	2464	cmd.exe	37
PID 2464 wrote to memory of 2880	2464	cmd.exe	37
PID 2464 wrote to memory of 2880	2464	cmd.exe	37
PID 2748 wrote to memory of 2752	2748	skotes.exe	38
PID 2748 wrote to memory of 2752	2748	skotes.exe	38
PID 2748 wrote to memory of 2752	2748	skotes.exe	38
PID 2748 wrote to memory of 2752	2748	skotes.exe	38
PID 2752 wrote to memory of 2628	2752	ShtrayEasy35.exe	39
PID 2752 wrote to memory of 2628	2752	ShtrayEasy35.exe	39
PID 2752 wrote to memory of 2628	2752	ShtrayEasy35.exe	39
PID 2752 wrote to memory of 2628	2752	ShtrayEasy35.exe	39
PID 2752 wrote to memory of 800	2752	ShtrayEasy35.exe	40
PID 2752 wrote to memory of 800	2752	ShtrayEasy35.exe	40
PID 2752 wrote to memory of 800	2752	ShtrayEasy35.exe	40
PID 2752 wrote to memory of 800	2752	ShtrayEasy35.exe	40
PID 2752 wrote to memory of 2800	2752	ShtrayEasy35.exe	41
PID 2752 wrote to memory of 2800	2752	ShtrayEasy35.exe	41
PID 2752 wrote to memory of 2800	2752	ShtrayEasy35.exe	41
PID 2752 wrote to memory of 2800	2752	ShtrayEasy35.exe	41
PID 2752 wrote to memory of 2820	2752	ShtrayEasy35.exe	42
PID 2752 wrote to memory of 2820	2752	ShtrayEasy35.exe	42
PID 2752 wrote to memory of 2820	2752	ShtrayEasy35.exe	42
PID 2752 wrote to memory of 2820	2752	ShtrayEasy35.exe	42
PID 2752 wrote to memory of 1376	2752	ShtrayEasy35.exe	43
PID 2752 wrote to memory of 1376	2752	ShtrayEasy35.exe	43
PID 2752 wrote to memory of 1376	2752	ShtrayEasy35.exe	43
PID 2752 wrote to memory of 1376	2752	ShtrayEasy35.exe	43
PID 2752 wrote to memory of 668	2752	ShtrayEasy35.exe	44
PID 2752 wrote to memory of 668	2752	ShtrayEasy35.exe	44
PID 2752 wrote to memory of 668	2752	ShtrayEasy35.exe	44
PID 2752 wrote to memory of 668	2752	ShtrayEasy35.exe	44
PID 2752 wrote to memory of 2832	2752	ShtrayEasy35.exe	45
PID 2752 wrote to memory of 2832	2752	ShtrayEasy35.exe	45
PID 2752 wrote to memory of 2832	2752	ShtrayEasy35.exe	45
PID 2752 wrote to memory of 2832	2752	ShtrayEasy35.exe	45
PID 2752 wrote to memory of 1080	2752	ShtrayEasy35.exe	46
PID 2752 wrote to memory of 1080	2752	ShtrayEasy35.exe	46
PID 2752 wrote to memory of 1080	2752	ShtrayEasy35.exe	46
PID 2752 wrote to memory of 1080	2752	ShtrayEasy35.exe	46
PID 2752 wrote to memory of 2664	2752	ShtrayEasy35.exe	47
PID 2752 wrote to memory of 2664	2752	ShtrayEasy35.exe	47
PID 2752 wrote to memory of 2664	2752	ShtrayEasy35.exe	47
PID 2752 wrote to memory of 2664	2752	ShtrayEasy35.exe	47
PID 2664 wrote to memory of 1268	2664	giYFhERINGV4IqUE.exe	48
PID 2664 wrote to memory of 1268	2664	giYFhERINGV4IqUE.exe	48
PID 2664 wrote to memory of 1268	2664	giYFhERINGV4IqUE.exe	48
PID 2664 wrote to memory of 1268	2664	giYFhERINGV4IqUE.exe	48
PID 2752 wrote to memory of 2068	2752	ShtrayEasy35.exe	49
PID 2752 wrote to memory of 2068	2752	ShtrayEasy35.exe	49
PID 2752 wrote to memory of 2068	2752	ShtrayEasy35.exe	49
PID 2752 wrote to memory of 2068	2752	ShtrayEasy35.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2400	attrib.exe
2932	attrib.exe
2100	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\1015558001\e147d7ff2e.exe
    "C:\Users\Admin\AppData\Local\Temp\1015558001\e147d7ff2e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1015558001\e147d7ff2e.exe" & rd /s /q "C:\ProgramData\S2VKXL68GLN7" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2880
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\ZKCU059U\CZ5485WFZbkxx8er.exe
      C:\Users\Admin\AppData\Local\Temp\ZKCU059U\CZ5485WFZbkxx8er.exe 2752
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\5LFYQ2cxzYmFtiEp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\5LFYQ2cxzYmFtiEp.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mkTQxRWlbBDhngid.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mkTQxRWlbBDhngid.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\UkPawuibHrdwCXMi.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\UkPawuibHrdwCXMi.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\RqfYJFcucv8TCfbB.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\RqfYJFcucv8TCfbB.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4CAGv34p1ZEWwpej.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4CAGv34p1ZEWwpej.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\v9WCCh1iRXHZGe6n.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\v9WCCh1iRXHZGe6n.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\SXtfSqpiayGQmoG9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\SXtfSqpiayGQmoG9.exe 2752
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\giYFhERINGV4IqUE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\giYFhERINGV4IqUE.exe 2752
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 164
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4btu0ngM9bRjBhHy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4btu0ngM9bRjBhHy.exe 2752
      4⤵
      Executes dropped EXE
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8DJFDmio8Rtklj0t.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8DJFDmio8Rtklj0t.exe 2752
      4⤵
      Executes dropped EXE
      PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\sUWOErHQ3gyho12s.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\sUWOErHQ3gyho12s.exe 2752
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 160
        5⤵
        Program crash
        
        PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\wri3bbe0NifjBnbf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\wri3bbe0NifjBnbf.exe 2752
      4⤵
      Executes dropped EXE
      PID:592
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\reLuHlfc4rc65EWu.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\reLuHlfc4rc65EWu.exe 2752
      4⤵
      Executes dropped EXE
      PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\NfhS0hECaAltppQV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\NfhS0hECaAltppQV.exe 2752
      4⤵
      Executes dropped EXE
      PID:588
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\SBj1VcMkwUzQ6sxO.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\SBj1VcMkwUzQ6sxO.exe 2752
      4⤵
      Executes dropped EXE
      PID:684
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\KCkKYg6VPudY3AqN.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\KCkKYg6VPudY3AqN.exe 2752
      4⤵
      Executes dropped EXE
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Fzy9UKvTOkBA8gmF.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Fzy9UKvTOkBA8gmF.exe 2752
      4⤵
      Executes dropped EXE
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\9UKFuogwarNyUkKG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\9UKFuogwarNyUkKG.exe 2752
      4⤵
      Executes dropped EXE
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\21YB9C5freNBN0Hg.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\21YB9C5freNBN0Hg.exe 2752
      4⤵
      Executes dropped EXE
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8i9l5admY5Kl33TB.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8i9l5admY5Kl33TB.exe 2752
      4⤵
      Executes dropped EXE
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\EprkUsgtXqnayi32.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\EprkUsgtXqnayi32.exe 2752
      4⤵
      Executes dropped EXE
      PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HKBTelBMY2g9fpiz.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HKBTelBMY2g9fpiz.exe 2752
      4⤵
      Executes dropped EXE
      PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\PHwmDA0dcyRyCmtG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\PHwmDA0dcyRyCmtG.exe 2752
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 160
        5⤵
        Program crash
        
        PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\3OcX0WZpP1wwmpcp.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\3OcX0WZpP1wwmpcp.exe 2752
      4⤵
      Executes dropped EXE
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6i4zJkCnyN2p41iK.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6i4zJkCnyN2p41iK.exe 2752
      4⤵
      Executes dropped EXE
      PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\EEB6FrjVfAWcnQH4.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\EEB6FrjVfAWcnQH4.exe 2752
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\dGnfmub6DnzCw1dd.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\dGnfmub6DnzCw1dd.exe 2752
      4⤵
      Executes dropped EXE
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2swC6asb1tIII3z1.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2swC6asb1tIII3z1.exe 2752
      4⤵
      Executes dropped EXE
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\DC2bsPtf9Hz2Thy3.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\DC2bsPtf9Hz2Thy3.exe 2752
      4⤵
      Executes dropped EXE
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4hmBoMuRz3hMo7ch.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4hmBoMuRz3hMo7ch.exe 2752
      4⤵
      Executes dropped EXE
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\KJXuV6uZrJ5C3PFK.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\KJXuV6uZrJ5C3PFK.exe 2752
      4⤵
      Executes dropped EXE
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HOs97QLWF7wGwYwz.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HOs97QLWF7wGwYwz.exe 2752
      4⤵
      Executes dropped EXE
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\JbOVIpEalqbHNiEI.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\JbOVIpEalqbHNiEI.exe 2752
      4⤵
      Executes dropped EXE
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\WaWWmW88Hc2zKj6F.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\WaWWmW88Hc2zKj6F.exe 2752
      4⤵
      PID:616
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\iTWuYtUTPDmU8wnL.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\iTWuYtUTPDmU8wnL.exe 2752
      4⤵
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\AKYhuqZA2veDyzzf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\AKYhuqZA2veDyzzf.exe 2752
      4⤵
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Z9lIcnWL0cIAySkF.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Z9lIcnWL0cIAySkF.exe 2752
      4⤵
      PID:928
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2sOuQFP0wzPqqHuY.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2sOuQFP0wzPqqHuY.exe 2752
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\HC3vrMEK43AIyTDc.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\HC3vrMEK43AIyTDc.exe 2752
      4⤵
      PID:576
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\lJ35owUVU5Liza3k.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\lJ35owUVU5Liza3k.exe 2752
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2z9tpb1M90MwXwqm.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2z9tpb1M90MwXwqm.exe 2752
      4⤵
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\1015565001\2fb607d829.exe
    "C:\Users\Admin\AppData\Local\Temp\1015565001\2fb607d829.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1676
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Loads dropped DLL
      PID:904
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        
        PID:2416
      - C:\Windows\system32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:2932
      - C:\Windows\system32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:2400
      - C:\Windows\system32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
- - C:\Users\Admin\AppData\Local\Temp\1015566001\5361fe3f5e.exe
    "C:\Users\Admin\AppData\Local\Temp\1015566001\5361fe3f5e.exe"
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\1015567001\24b84724d7.exe
    "C:\Users\Admin\AppData\Local\Temp\1015567001\24b84724d7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\1015568001\4efbc599c1.exe
    "C:\Users\Admin\AppData\Local\Temp\1015568001\4efbc599c1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\1015569001\169f6b3377.exe
    "C:\Users\Admin\AppData\Local\Temp\1015569001\169f6b3377.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\1015570001\98386c18ad.exe
    "C:\Users\Admin\AppData\Local\Temp\1015570001\98386c18ad.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1520

C:\Windows\system32\taskeng.exe
taskeng.exe {4D326E13-410B-47E6-B0E4-653DC2772094} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  2⤵
  PID:2416
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1709d0073d57ee087f4d0b45744ddb96

SHA1
2dd1c3825d9b4a4865ffe58585ea89c63a26b6e6

SHA256
e09c1878dcc1d7356104dad6bd11f3dc3d8d551240e1edfdb38cb63e7069ab73

SHA512
41dd96be3373319d25f2f524e4a550e95a9b26429d6e0496bb9843e3e92d8995d8b2d726d078acf9fb525e8dad507bd284c0bfbc468590e9c70d46c771ebab32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d198e13ca3dd4f6c04a8d366905e7c1e

SHA1
f43a58e23a2d80a7711c5d4f9d8aba2a07731ff5

SHA256
cc53990b1c22ae04aa9df4bedc4da4386c842129ba7e1ae3ba7acf9765c68e0c

SHA512
33e6d4d68ad4ee4ec123d81997db3ff8f8eb5dc9037ad0a1a58476e3fd59d8265897f1aeb5ddb507bf529b5bf1fe5120cbf04d51fc8a2156e29596e0dab2233f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015558001\e147d7ff2e.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015565001\2fb607d829.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015566001\5361fe3f5e.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015567001\24b84724d7.exe

Filesize
1.8MB

MD5
2a9a8ac0536adf8e5aae9512c47aa11e

SHA1
723893262d72d49cf113f27144c79b03b3b2590e

SHA256
9da4459f70bf5bb599eb30ee6eac2e717d31c36d86d9fe63a3bcb057a6081288

SHA512
31f5eef6e5b3c30f5cd4f661260767363a5d19ed290673447c03a06fe462ea6b5ff3dea05ce3796553d38d3c03d953907605d738c822287b11a0839d6c80c195

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015568001\4efbc599c1.exe

Filesize
1.7MB

MD5
d5da2fd5ea632cae3fa62383db932295

SHA1
359e99bb56ebe39517cd92f7b0c516f22fa27a73

SHA256
431505e5a218ae028da9b413cf8d63a4e39da72774b2ee84b28353e999ef792f

SHA512
7ef17dd6af64d4df0fdf3098287125b34f23ae769422047e2334c139f1391efc02acd2ca1280b82452e768c8951e152780bb0cc61a0047d25bd2056799225486

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015569001\169f6b3377.exe

Filesize
948KB

MD5
8657e5b0cc315323e02eb0be3444aa2c

SHA1
0c12e23b94dfe56aeee6f7741d78f01ca14674a3

SHA256
0e1277915907c6b336c11359d022f535171ead9d6e8d2f12adfa4dddd23a9e16

SHA512
d1ff2d21b1bc2ddd954eb0b17c21b5c3d226e001b13aeda042bd284713d91631b456b914b0cd3e112badaf644f82ca6b7dd526afdf91f65544218e4defafda76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015570001\98386c18ad.exe

Filesize
2.6MB

MD5
fdc9126326a0adf35ac9647750f6b745

SHA1
7456153c1b913b36f4ada61d99a4b7b15838bce7

SHA256
e27bd9f6c799a5cbff15f5abd1637d7300c5fe04114ecac3096ed3e5f5f69923

SHA512
9613ed68be211e4d4c1fa68830d23ede9503877de198cbf6506c9cf5aae2cc28ad9273991f650a825965d495982632622a7117e7a536dff3b649d2aa120a6708

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD1C2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD1F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
46c3863c4f153d69dbf4d5bfbbc90a73

SHA1
4fa6468cd70687385c225f1500ae570102a4e370

SHA256
0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

SHA512
2d09b274468cf1b6c289c94721b94699c81584763d378769473b14395da8492e853eaa971d94ffeb2988ca582ec347ed3c9fea9c74188a230a344c44eca88f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
memory/904-570-0x000000013FD40000-0x00000001401D0000-memory.dmp

Filesize
4.6MB

Download
memory/904-603-0x000000013FD40000-0x00000001401D0000-memory.dmp

Filesize
4.6MB

Download
memory/904-604-0x000000013FD40000-0x00000001401D0000-memory.dmp

Filesize
4.6MB

Download
memory/904-571-0x000000013FD40000-0x00000001401D0000-memory.dmp

Filesize
4.6MB

Download
memory/1124-589-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1124-587-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1156-47-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1156-240-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1156-45-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/1156-46-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1488-436-0x0000000000EA0000-0x0000000000EE5000-memory.dmp

Filesize
276KB

Download
memory/1520-540-0x0000000000C10000-0x0000000000EBE000-memory.dmp

Filesize
2.7MB

Download
memory/1520-592-0x0000000000C10000-0x0000000000EBE000-memory.dmp

Filesize
2.7MB

Download
memory/1520-616-0x0000000000C10000-0x0000000000EBE000-memory.dmp

Filesize
2.7MB

Download
memory/1520-617-0x0000000000C10000-0x0000000000EBE000-memory.dmp

Filesize
2.7MB

Download
memory/1912-594-0x0000000000900000-0x0000000000945000-memory.dmp

Filesize
276KB

Download
memory/1916-443-0x0000000000380000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/1916-569-0x0000000000380000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/1916-556-0x0000000000380000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/1916-505-0x0000000000380000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2008-674-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-675-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-680-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-679-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-676-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-673-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-688-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2008-687-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/2072-16-0x00000000001A0000-0x00000000004BA000-memory.dmp

Filesize
3.1MB

Download
memory/2072-0-0x00000000001A0000-0x00000000004BA000-memory.dmp

Filesize
3.1MB

Download
memory/2072-21-0x00000000001A0000-0x00000000004BA000-memory.dmp

Filesize
3.1MB

Download
memory/2072-1-0x0000000077840000-0x0000000077842000-memory.dmp

Filesize
8KB

Download
memory/2072-2-0x00000000001A1000-0x00000000001CF000-memory.dmp

Filesize
184KB

Download
memory/2072-3-0x00000000001A0000-0x00000000004BA000-memory.dmp

Filesize
3.1MB

Download
memory/2072-5-0x00000000001A0000-0x00000000004BA000-memory.dmp

Filesize
3.1MB

Download
memory/2072-19-0x0000000006D80000-0x000000000709A000-memory.dmp

Filesize
3.1MB

Download
memory/2072-18-0x0000000006D80000-0x000000000709A000-memory.dmp

Filesize
3.1MB

Download
memory/2416-690-0x000000013F980000-0x000000013FE10000-memory.dmp

Filesize
4.6MB

Download
memory/2416-574-0x000000013FD40000-0x00000001401D0000-memory.dmp

Filesize
4.6MB

Download
memory/2416-678-0x000000013F980000-0x000000013FE10000-memory.dmp

Filesize
4.6MB

Download
memory/2488-693-0x000000013F980000-0x000000013FE10000-memory.dmp

Filesize
4.6MB

Download
memory/2488-665-0x000000013F980000-0x000000013FE10000-memory.dmp

Filesize
4.6MB

Download
memory/2748-24-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-653-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-552-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-591-0x0000000006190000-0x000000000643E000-memory.dmp

Filesize
2.7MB

Download
memory/2748-590-0x0000000006190000-0x000000000643E000-memory.dmp

Filesize
2.7MB

Download
memory/2748-548-0x0000000006850000-0x0000000006EF3000-memory.dmp

Filesize
6.6MB

Download
memory/2748-593-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-537-0x0000000006190000-0x000000000643E000-memory.dmp

Filesize
2.7MB

Download
memory/2748-23-0x00000000009B1000-0x00000000009DF000-memory.dmp

Filesize
184KB

Download
memory/2748-606-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-536-0x0000000006190000-0x000000000643E000-memory.dmp

Filesize
2.7MB

Download
memory/2748-258-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-618-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-628-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-644-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-22-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-391-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-666-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-26-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-516-0x0000000006850000-0x0000000006CF9000-memory.dmp

Filesize
4.7MB

Download
memory/2748-497-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-27-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-44-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-439-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-475-0x0000000006850000-0x0000000006EF3000-memory.dmp

Filesize
6.6MB

Download
memory/2748-686-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-118-0x00000000009B0000-0x0000000000CCA000-memory.dmp

Filesize
3.1MB

Download
memory/2748-442-0x0000000006850000-0x0000000006CF9000-memory.dmp

Filesize
4.7MB

Download
memory/2956-484-0x00000000002A0000-0x0000000000943000-memory.dmp

Filesize
6.6MB

Download
memory/2956-518-0x00000000002A0000-0x0000000000943000-memory.dmp

Filesize
6.6MB

Download