amadey | 6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Size

2.9MB
MD5

dac73e7813dc3500e5f677b5f31191df
SHA1

bf5eaa68905a19d7cda4cc824267d5fbfc27785a
SHA256

6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e
SHA512

7e26aa8fa617887d322ff823d6133dc677cd6c7e5ff2d1b14f6db689dff185e4f668802037bcd38e2134965892f71aabb4b274ae5568adb6e2ad065f93d593ba
SSDEEP

49152:CdKtEEZolFDH6eU4kCfdnZlAVVXmZUiUHHUw0aAVP:ntEEZuFDaeU4kCfhZloXmVy0

Score

10^/10

amadey lumma 9c9aa5 discovery evasion execution persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	3c0bb9c756.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74bc2a85f9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f0b23bdcb7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3c0bb9c756.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6772c9c20a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ec98498f6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
2004	powershell.exe
704	powershell.exe
2076	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ec98498f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74bc2a85f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3c0bb9c756.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6772c9c20a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6772c9c20a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3c0bb9c756.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ec98498f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74bc2a85f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f0b23bdcb7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f0b23bdcb7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Executes dropped EXE 19 IoCs

pid	Process
2752	skotes.exe
2888	74bc2a85f9.exe
2176	4d947324df.exe
2368	5d6ab90cc5.exe
2472	ea9abd8cc3.exe
2280	ea9abd8cc3.exe
3044	ea9abd8cc3.exe
2044	f0b23bdcb7.exe
1488	4d947324df.exe
900	vmLn5k4.exe
2368	9222a4ebad.exe
2380	3c0bb9c756.exe
1988	e98aaaa641.exe
1716	e98aaaa641.exe
2416	a66c511a07.exe
1140	b14ea5fb12.exe
2968	6772c9c20a.exe
1944	9222a4ebad.exe
10168	3ec98498f6.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	6772c9c20a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	3ec98498f6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	74bc2a85f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	f0b23bdcb7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	3c0bb9c756.exe

Loads dropped DLL 30 IoCs

pid	Process
2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2472	ea9abd8cc3.exe
2472	ea9abd8cc3.exe
2752	skotes.exe
2752	skotes.exe
2176	4d947324df.exe
2752	skotes.exe
2752	skotes.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
1988	e98aaaa641.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2368	9222a4ebad.exe
2752	skotes.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\74bc2a85f9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018024001\\74bc2a85f9.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
2752	skotes.exe
2888	74bc2a85f9.exe
2044	f0b23bdcb7.exe
2380	3c0bb9c756.exe
2968	6772c9c20a.exe
10168	3ec98498f6.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 3044	2472	ea9abd8cc3.exe	44
PID 2176 set thread context of 1488	2176	4d947324df.exe	46
PID 1988 set thread context of 1716	1988	e98aaaa641.exe	53
PID 2368 set thread context of 1944	2368	9222a4ebad.exe	62

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec98498f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e98aaaa641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9abd8cc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b14ea5fb12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74bc2a85f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9222a4ebad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d947324df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9abd8cc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0b23bdcb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9222a4ebad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c0bb9c756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e98aaaa641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d947324df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d6ab90cc5.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4d947324df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4d947324df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4d947324df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	f0b23bdcb7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	f0b23bdcb7.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
2752	skotes.exe
2888	74bc2a85f9.exe
2368	5d6ab90cc5.exe
404	powershell.exe
2004	powershell.exe
2044	f0b23bdcb7.exe
2380	3c0bb9c756.exe
2380	3c0bb9c756.exe
2380	3c0bb9c756.exe
2380	3c0bb9c756.exe
2380	3c0bb9c756.exe
2380	3c0bb9c756.exe
1140	b14ea5fb12.exe
704	powershell.exe
2076	powershell.exe
2968	6772c9c20a.exe
1944	9222a4ebad.exe
1944	9222a4ebad.exe
10168	3ec98498f6.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	4d947324df.exe
Token: SeDebugPrivilege	2368	5d6ab90cc5.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1140	b14ea5fb12.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1944	9222a4ebad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2752	2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe	30
PID 2548 wrote to memory of 2752	2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe	30
PID 2548 wrote to memory of 2752	2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe	30
PID 2548 wrote to memory of 2752	2548	6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe	30
PID 2752 wrote to memory of 2888	2752	skotes.exe	33
PID 2752 wrote to memory of 2888	2752	skotes.exe	33
PID 2752 wrote to memory of 2888	2752	skotes.exe	33
PID 2752 wrote to memory of 2888	2752	skotes.exe	33
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2176	2752	skotes.exe	34
PID 2752 wrote to memory of 2368	2752	skotes.exe	35
PID 2752 wrote to memory of 2368	2752	skotes.exe	35
PID 2752 wrote to memory of 2368	2752	skotes.exe	35
PID 2752 wrote to memory of 2368	2752	skotes.exe	35
PID 2368 wrote to memory of 404	2368	5d6ab90cc5.exe	37
PID 2368 wrote to memory of 404	2368	5d6ab90cc5.exe	37
PID 2368 wrote to memory of 404	2368	5d6ab90cc5.exe	37
PID 2368 wrote to memory of 404	2368	5d6ab90cc5.exe	37
PID 2368 wrote to memory of 2004	2368	5d6ab90cc5.exe	39
PID 2368 wrote to memory of 2004	2368	5d6ab90cc5.exe	39
PID 2368 wrote to memory of 2004	2368	5d6ab90cc5.exe	39
PID 2368 wrote to memory of 2004	2368	5d6ab90cc5.exe	39
PID 2752 wrote to memory of 2472	2752	skotes.exe	41
PID 2752 wrote to memory of 2472	2752	skotes.exe	41
PID 2752 wrote to memory of 2472	2752	skotes.exe	41
PID 2752 wrote to memory of 2472	2752	skotes.exe	41
PID 2472 wrote to memory of 2280	2472	ea9abd8cc3.exe	43
PID 2472 wrote to memory of 2280	2472	ea9abd8cc3.exe	43
PID 2472 wrote to memory of 2280	2472	ea9abd8cc3.exe	43
PID 2472 wrote to memory of 2280	2472	ea9abd8cc3.exe	43
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2472 wrote to memory of 3044	2472	ea9abd8cc3.exe	44
PID 2752 wrote to memory of 2044	2752	skotes.exe	45
PID 2752 wrote to memory of 2044	2752	skotes.exe	45
PID 2752 wrote to memory of 2044	2752	skotes.exe	45
PID 2752 wrote to memory of 2044	2752	skotes.exe	45
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2176 wrote to memory of 1488	2176	4d947324df.exe	46
PID 2752 wrote to memory of 900	2752	skotes.exe	47
PID 2752 wrote to memory of 900	2752	skotes.exe	47

C:\Users\Admin\AppData\Local\Temp\6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e_Sigmanly.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\1018024001\74bc2a85f9.exe
    "C:\Users\Admin\AppData\Local\Temp\1018024001\74bc2a85f9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\1018469001\4d947324df.exe
    "C:\Users\Admin\AppData\Local\Temp\1018469001\4d947324df.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\1018469001\4d947324df.exe
      "C:\Users\Admin\AppData\Local\Temp\1018469001\4d947324df.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\1018471001\5d6ab90cc5.exe
    "C:\Users\Admin\AppData\Local\Temp\1018471001\5d6ab90cc5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath "C:\bemchi"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe
    "C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe
      "C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe"
      4⤵
      Executes dropped EXE
      PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe
      "C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3044
- - C:\Users\Admin\AppData\Local\Temp\1018473001\f0b23bdcb7.exe
    "C:\Users\Admin\AppData\Local\Temp\1018473001\f0b23bdcb7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\1018474001\vmLn5k4.exe
    "C:\Users\Admin\AppData\Local\Temp\1018474001\vmLn5k4.exe"
    3⤵
    - Executes dropped EXE
    PID:900
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 900 -s 80
      4⤵
      Loads dropped DLL
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\1018475001\9222a4ebad.exe
    "C:\Users\Admin\AppData\Local\Temp\1018475001\9222a4ebad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\1018475001\9222a4ebad.exe
      "C:\Users\Admin\AppData\Local\Temp\1018475001\9222a4ebad.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1018476001\3c0bb9c756.exe
    "C:\Users\Admin\AppData\Local\Temp\1018476001\3c0bb9c756.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\1018477001\e98aaaa641.exe
    "C:\Users\Admin\AppData\Local\Temp\1018477001\e98aaaa641.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\1018477001\e98aaaa641.exe
      "C:\Users\Admin\AppData\Local\Temp\1018477001\e98aaaa641.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\1018478001\a66c511a07.exe
    "C:\Users\Admin\AppData\Local\Temp\1018478001\a66c511a07.exe"
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\1018479001\b14ea5fb12.exe
    "C:\Users\Admin\AppData\Local\Temp\1018479001\b14ea5fb12.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath "C:\djviza"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\Users\Admin\AppData\Local\Temp\1018480001\6772c9c20a.exe
    "C:\Users\Admin\AppData\Local\Temp\1018480001\6772c9c20a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\1018481001\3ec98498f6.exe
    "C:\Users\Admin\AppData\Local\Temp\1018481001\3ec98498f6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:10168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1018024001\74bc2a85f9.exe

Filesize
2.8MB

MD5
06eb241ef8e97b95ab72fd5b38302220

SHA1
50ee0588fd084de8ff5ec5fb30fed03c5734cadd

SHA256
9e011b1567decb2222dbba5c1608b15d201876a5369d553fe42d72fa102aeb19

SHA512
d5e880586150844303f02aec7d9593283097f1b55bebcc448275a1402313449919d8b718c5a9b25e48d8f790b0ffeb968baa7a8b05de59f14a2bac77be4a1d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018469001\4d947324df.exe

Filesize
3.1MB

MD5
c00a67d527ef38dc6f49d0ad7f13b393

SHA1
7b8f2de130ab5e4e59c3c2f4a071bda831ac219d

SHA256
12226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3

SHA512
9286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018471001\5d6ab90cc5.exe

Filesize
21KB

MD5
14becdf1e2402e9aa6c2be0e6167041e

SHA1
72cbbae6878f5e06060a0038b25ede93b445f0df

SHA256
7a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a

SHA512
16b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018472001\ea9abd8cc3.exe

Filesize
758KB

MD5
afd936e441bf5cbdb858e96833cc6ed3

SHA1
3491edd8c7caf9ae169e21fb58bccd29d95aefef

SHA256
c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

SHA512
928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018473001\f0b23bdcb7.exe

Filesize
1.8MB

MD5
25fb9c54265bbacc7a055174479f0b70

SHA1
4af069a2ec874703a7e29023d23a1ada491b584e

SHA256
552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c

SHA512
7dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018474001\vmLn5k4.exe

Filesize
8.7MB

MD5
1c848c274240a7b5561550c4867c336f

SHA1
fe286e578f0652077cd858850939a152835dcc6c

SHA256
8b5af8709908fa9da7792816d03feb6287ded45a9cb5a5afd4f061113638a092

SHA512
7d96fd7398ce1a3199ea4cb0c7bc4e0f7b76692d9200dd27499b3f96e50a0b91cc77169ad542be46c74fc09e13a84597d180c4c4f0fd23ce45e8c3fa99c8042d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018475001\9222a4ebad.exe

Filesize
1.1MB

MD5
ef08a45833a7d881c90ded1952f96cb4

SHA1
f04aeeb63a1409bd916558d2c40fab8a5ed8168b

SHA256
33c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501

SHA512
74e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018476001\3c0bb9c756.exe

Filesize
4.3MB

MD5
63014ddb15ca6ee8aed525a9e2df6d85

SHA1
5739c8445d8dd442d361cfbbf46944ef24e7bc32

SHA256
20f1886866cbc38597da35d91a554c4078744d74a07c46ca2633c76a62216c50

SHA512
5fc0d017cbaee34bab83480d819a9803605716d57ad787a48b033216974538f272a97c70be223dd518f518ba207201174585d0d597b767d190246eb83eaee641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018477001\e98aaaa641.exe

Filesize
791KB

MD5
e8af4d0d0b47ac68d762b7f288ae8e6e

SHA1
1d65f31526cc20ab41d6b1625d6674d7f13e326c

SHA256
b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e

SHA512
80fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018478001\a66c511a07.exe

Filesize
1.3MB

MD5
669ed3665495a4a52029ff680ec8eba9

SHA1
7785e285365a141e307931ca4c4ef00b7ecc8986

SHA256
2d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6

SHA512
bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018479001\b14ea5fb12.exe

Filesize
21KB

MD5
04f57c6fb2b2cd8dcc4b38e4a93d4366

SHA1
61770495aa18d480f70b654d1f57998e5bd8c885

SHA256
51e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2

SHA512
53f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018480001\6772c9c20a.exe

Filesize
4.3MB

MD5
c56fed47e77d1b3103c94496f1371878

SHA1
8b1ac848c5ef777e8de09157301043d6367f59ae

SHA256
2c57a53d4a3c03769ed9302fc18cff7a4a5f26e4164023814cc28e92565d7381

SHA512
a61f54e66cc8c4af23a79f5f4da2aa2a0fed8fb7452914bef6b9e9441ed075337ccb34300b0adb2be9bb93a54255578bcba2ebfac81d4fd7ca1fc396cff42184

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018481001\3ec98498f6.exe

Filesize
1.9MB

MD5
1f39fac8d8f8c1e3e0697ebf585af36c

SHA1
f98243a6bdea8f7de4cfa02d157e94b1cf925f51

SHA256
ec2349f4f55242a8328a7f11c5013a7525fa05aa18a680c1d82f2d6d93e6e1ad

SHA512
ebf1551cc77e6f815f18ebd38ffc3b581fbc0b07642175db9178652e3cad6be0a38bf978ea09d46815ca64b1482a87261ac5e34303b14420ce89c7c684a7aaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab543A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0197656eec0dd22f6b2365bec1df09b5

SHA1
8e0370dc27bb5eb7fc6f8686ce24a4db2b035210

SHA256
eb4124a66ae8c164bd27e7536e4bee8da0e6de06e1c085e36339623ee8af6cdb

SHA512
f9466d782b5b5ed2558d9d51952518772ea6b9fff7d7933fa97d020b764c6ef929b0074ee6f84ff8acceef07444ec5285b2289d4a01495553ad9201ad9c6a606

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
dac73e7813dc3500e5f677b5f31191df

SHA1
bf5eaa68905a19d7cda4cc824267d5fbfc27785a

SHA256
6b6ee9cae47a7d7d51218397669ea2644853643e8d7557b20a90dc49e203893e

SHA512
7e26aa8fa617887d322ff823d6133dc677cd6c7e5ff2d1b14f6db689dff185e4f668802037bcd38e2134965892f71aabb4b274ae5568adb6e2ad065f93d593ba

Download Submit
memory/1140-318-0x00000000000C0000-0x00000000000CC000-memory.dmp

Filesize
48KB

Download
memory/1488-171-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1488-176-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1488-178-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1488-173-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1488-175-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1716-275-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-281-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-277-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-286-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-285-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1716-283-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-279-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1944-2432-0x00000000009A0000-0x00000000009CC000-memory.dmp

Filesize
176KB

Download
memory/1944-366-0x0000000004200000-0x0000000004298000-memory.dmp

Filesize
608KB

Download
memory/1944-365-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1944-2441-0x00000000042C0000-0x000000000430C000-memory.dmp

Filesize
304KB

Download
memory/2044-193-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-197-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-184-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-187-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-190-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-160-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-183-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2044-195-0x0000000000BC0000-0x000000000106B000-memory.dmp

Filesize
4.7MB

Download
memory/2176-162-0x00000000057D0000-0x0000000005926000-memory.dmp

Filesize
1.3MB

Download
memory/2176-163-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/2176-61-0x0000000001250000-0x0000000001578000-memory.dmp

Filesize
3.2MB

Download
memory/2368-236-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download
memory/2368-322-0x00000000049A0000-0x0000000004A62000-memory.dmp

Filesize
776KB

Download
memory/2368-235-0x0000000000260000-0x0000000000376000-memory.dmp

Filesize
1.1MB

Download
memory/2368-76-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2380-255-0x0000000000A00000-0x0000000001690000-memory.dmp

Filesize
12.6MB

Download
memory/2380-319-0x0000000000A00000-0x0000000001690000-memory.dmp

Filesize
12.6MB

Download
memory/2548-2-0x00000000012C1000-0x00000000012EF000-memory.dmp

Filesize
184KB

Download
memory/2548-1-0x0000000077510000-0x0000000077512000-memory.dmp

Filesize
8KB

Download
memory/2548-5-0x00000000012C0000-0x00000000015DD000-memory.dmp

Filesize
3.1MB

Download
memory/2548-0-0x00000000012C0000-0x00000000015DD000-memory.dmp

Filesize
3.1MB

Download
memory/2548-3-0x00000000012C0000-0x00000000015DD000-memory.dmp

Filesize
3.1MB

Download
memory/2548-14-0x00000000012C0000-0x00000000015DD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-186-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-131-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-181-0x0000000006610000-0x0000000006ABB000-memory.dmp

Filesize
4.7MB

Download
memory/2752-182-0x0000000006610000-0x0000000006ABB000-memory.dmp

Filesize
4.7MB

Download
memory/2752-179-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-20-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-2451-0x0000000006610000-0x0000000007290000-memory.dmp

Filesize
12.5MB

Download
memory/2752-44-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-158-0x0000000006610000-0x0000000006ABB000-memory.dmp

Filesize
4.7MB

Download
memory/2752-188-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-40-0x0000000005FF0000-0x00000000062EB000-memory.dmp

Filesize
3.0MB

Download
memory/2752-159-0x0000000006610000-0x0000000006ABB000-memory.dmp

Filesize
4.7MB

Download
memory/2752-77-0x0000000005FF0000-0x00000000062EB000-memory.dmp

Filesize
3.0MB

Download
memory/2752-192-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-21-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-194-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-78-0x0000000005FF0000-0x00000000062EB000-memory.dmp

Filesize
3.0MB

Download
memory/2752-140-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-198-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-18-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-17-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

Filesize
184KB

Download
memory/2752-22-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-42-0x0000000005FF0000-0x00000000062EB000-memory.dmp

Filesize
3.0MB

Download
memory/2752-237-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-16-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-254-0x0000000006610000-0x00000000072A0000-memory.dmp

Filesize
12.6MB

Download
memory/2752-256-0x0000000006610000-0x00000000072A0000-memory.dmp

Filesize
12.6MB

Download
memory/2752-23-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-347-0x0000000006610000-0x0000000007290000-memory.dmp

Filesize
12.5MB

Download
memory/2752-321-0x0000000006610000-0x00000000072A0000-memory.dmp

Filesize
12.6MB

Download
memory/2752-121-0x0000000000EA0000-0x00000000011BD000-memory.dmp

Filesize
3.1MB

Download
memory/2752-303-0x0000000006610000-0x00000000072A0000-memory.dmp

Filesize
12.6MB

Download
memory/2888-180-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-45-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-122-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-43-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-185-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-189-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-191-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-103-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-123-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-141-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-132-0x0000000000E80000-0x000000000117B000-memory.dmp

Filesize
3.0MB

Download
memory/2968-348-0x00000000001D0000-0x0000000000E50000-memory.dmp

Filesize
12.5MB

Download
memory/2968-350-0x00000000001D0000-0x0000000000E50000-memory.dmp

Filesize
12.5MB

Download
memory/3044-113-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-118-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-111-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-120-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-117-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-108-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-115-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-109-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download