Malware Analysis Report

2024-11-30 22:08

Sample ID 240705-w52hxasglq
Target 9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe
SHA256 9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a

Threat Level: Known bad

The file 9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 18:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 18:31

Reported

2024-07-05 18:33

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc40fcfc2061d4dbf721c1a5fe994bc000000000200000000001066000000010000200000009b0ef1a9b4644f276ae08f2034d2476de740e59e4ebf1399a1c6b47a893bbf7b000000000e8000000002000020000000339e7dba28c1429691da2497defa323e355a7a8451acff964683c21e51e20d38900000000a42ea1b1ed63c977231925d3dbf6c482e28bc22b5f902db6ede9c124f3f5ab8518163342ac74e7ff740774c182d1fb2d5f1a3246fcfd28c172b11806064aa7fbe1706cc48419bc1a5d7dd559a4daf7ca92dd7f2b8c39a70081c7e43827b707c8dec5fbd38b63ff3926af9287c39ecf2293308f6d8a01a5ce9932a8aa1a0a401816a5c183b9c51ac01ef9433e51f9cf94000000084b0961e05ba6f568f0c9a6bf2c0c96aab246294892c4c0ee876799841fa942ea190fc38875e0f510a87cbbd5d60bcee1859fd4e56c4482098ac70a543900515 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426366150" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C6C91821-3AFC-11EF-BECC-D2EFD46A7D0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc40fcfc2061d4dbf721c1a5fe994bc0000000002000000000010660000000100002000000034fc398db8b5cbb489903408b4690f94bf13641c9dafe95ab539cafa738608c8000000000e80000000020000200000005ace21880c99db2157108be22434c35362024ed6957e51acae0ed86942f486c720000000d8d62641b208391035f7d78b46ef31d1193e800d497bdd6a6a0d2d89169b47db40000000195dbfa993e5417d646b3d312eaae42db17428bc7ed0f4883d998b16034e80ec284bda694e81bc2a481144a27b1982f16b6c4ea863f5ff6a2b9271c21e2c4b7f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e8119e09cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe
PID 1992 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe
PID 1992 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe
PID 1992 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe
PID 2816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1724 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1724 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1724 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1724 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1724 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1788 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1788 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1788 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEBGIIDBKE.exe"

C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe

"C:\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\3a449d00b7.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2932-0-0x00000000002D0000-0x0000000000EC4000-memory.dmp

memory/2932-1-0x00000000002D0000-0x0000000000EC4000-memory.dmp

memory/2932-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2932-65-0x00000000002D0000-0x0000000000EC4000-memory.dmp

\Users\Admin\AppData\Local\Temp\FCBAECGIEB.exe

MD5 9f33e620e552786cd64dd5d1707be00f
SHA1 ebd783ffbc38120a63a3df0eeedd31598d6e6963
SHA256 748538299004b87c6cbb64ec7a32d5e7b2f547cbbf75726d248b46777fce2b97
SHA512 a58db462995712a80544f1f831b182c3b5047d58784d5e73b88810e511687c2c5bd6304c120f3e03d7ba7f5883deeea3a094eef1a1967ec3379e350dd25dea78

memory/1992-82-0x0000000002190000-0x0000000002651000-memory.dmp

memory/2816-86-0x0000000000800000-0x0000000000CC1000-memory.dmp

memory/1724-118-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/2816-115-0x0000000006FF0000-0x00000000074B1000-memory.dmp

memory/2816-117-0x0000000000800000-0x0000000000CC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe

MD5 7ad17f11aa6b1408999981b11078d674
SHA1 57a4856e4db83685852d7c6037bb1bbde4793415
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
SHA512 06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

memory/820-141-0x00000000000E0000-0x0000000000CCC000-memory.dmp

memory/1724-140-0x0000000006B50000-0x000000000773C000-memory.dmp

memory/1724-139-0x0000000006B50000-0x000000000773C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\3a449d00b7.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/1788-179-0x00000000022D0000-0x00000000023D0000-memory.dmp

memory/820-181-0x00000000000E0000-0x0000000000CCC000-memory.dmp

memory/1724-220-0x0000000000970000-0x0000000000E31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

MD5 62d825f9bfbcf5d704b05471726a8f12
SHA1 f9b252dfb75a236c6fbb5dd56430b61557932508
SHA256 fe0f46eb518441346315938c2eafdb99f4a59dcf1161e26449c9ec597da2a2e2
SHA512 4fdf90161a1b97b0ca26dbf558c56fff1ca9966195ecb8dcd2f2cf2268d2beaef0cb782409675d2f99d8fa3861c306fe69669fd4117a41d5823627cfa1ab9911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f36b5ab4a71b8db829a7ddd1924bf8b
SHA1 4c703d4befa082739690366c75bc2db6ff72673d
SHA256 d7095e92b743f4370fc04a5e0b6e4cc7951c570941bcf837e073f92296e634f0
SHA512 a1f170e8f75a687b03b97cffb59689c40deab346ddedb863d0598653ff0a5b9aa82ae044e092e4a7ef9bf1f68cb423ee29d9122da6563a0cefbcd89dc5f2b8eb

C:\Users\Admin\AppData\Local\Temp\Tar7505.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab74F2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar75D6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05e9e7c84774bd6ad2ad52b41133bd6a
SHA1 0b45f3d93f893c8f03f3e3ee451e31404b0e6ad0
SHA256 ee69cf5d1d753c667fe525b9afd3ed49d6528fa68ee65fc62dd55c51f76982c6
SHA512 8b8cad6edabd89caaf11daff7829f8670e0a2443e1334275ba20fff337bf7fc1e0ed3cf335594d91ac93cbad96c20c2a82112c4ebf159a5b9e82414d30baf8bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a023407843306509bb33e5f13e4306e5
SHA1 4b06ccf5c1d0d11eb9ca83df46a560f3b6bdf7f0
SHA256 acdedc2ec3f6bc0cc7482e0a66799999acb9ed1a4197f2476f0729b769079814
SHA512 5eac6e3712cd160126e1b60a5a798f8c6e9b64a4b50683e3d1285ac5c7900583e3dc73284c1a7d4a24b14262d7d7abdf42a11862df75d8a3a772bebbcb2189e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8866f9afcb566fc038343b9603b43c9
SHA1 25ab41710ef60fa7dcb95a304da147fe953d1367
SHA256 055d435d6b0078585f94f3fac889377148756514f9e96d768ab36eed15dc6b0b
SHA512 e418a0212918afabfc8b4edc3bacc2c70ca351aaf23513fc518c4ae3322586f532db54c402847b28fed330fedbdf21a5f62221d5c3ada2270723793331a5bcd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20308b4492a96b369a5ffd74ebe40fbf
SHA1 bd470c27b5c23dba94bf6b51ad9da5ec13166211
SHA256 76859f595392cdcb6c632327067d3a0a699c22dc4bd69d255e4300f0fc2080b5
SHA512 78ff217dcb3ceb51c53467832ef8ff97c6444ab9084618a91795814a80ba9b49439b0d1a0fbc7761c147d3ef9bc654a4d8f667dc16caf41fb4206faa9ed19ba5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4cf9c412979823cb2898e9dc78fc05c
SHA1 421bc5b899e17deed56813c4cbaec198efc1ff6e
SHA256 18b6a7306200bd2594ab8c10946a8e2a0822299a5ba907728c971c2273387f81
SHA512 3b4cc97dd4828660803e09935276ea4eba184787a5280beaf3ab2535e917e1ae4ace50a8806d646042f772168e3d989c64a4cab85321aab5eaccbd037729810e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfd09fe7abf2654714dde50cd6e96cc9
SHA1 e0b037f764d77d8bab434a6564bb93e9f47d3305
SHA256 3801f1494e1d7838a8abb32414ab2d4f00b3627b9b521340261dba4d52b669f9
SHA512 4b35094f66a54ff5b15ac6f9548502696a7887862f2e1f5574c87397db2a910f025865d16fc513d97e7b06e9070d7291e6c1cab84cac317248bc9aefb43ade2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43e1d52564eb4dbbcee6078831657bda
SHA1 052426d10b89ab5eeccf31f16c59ce4b9c78a1db
SHA256 77c18d03407b03a9b8c19ea0098191b79257f2d258fc91b8d4c32ee184edfe50
SHA512 62ba485dd125e7a053b2eabb3a24d6410063d784bdacac26aa4f0140d5f6292415b23c61aad408d2e3b9cbeb44d013412edf6770b96c32982ab5cb41e8b5af0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b1eb0566b6c5776104a0b49b2b82e98
SHA1 bf143218099c7a1bf17060c36dc3af6f9e7d7adc
SHA256 251112ddb0a809dc910bdae125f34273d968c282e248768d4d08fd1ef6790a04
SHA512 dd5c53010af287d33327ea6974aa624d9ddb184806a17b422821829a022669e849a81445dc5dfbbb80eeab4bdfa0d28540c10fa20e36531cc6af8978aef58b1c

memory/1724-714-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-715-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-716-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-717-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-718-0x0000000000970000-0x0000000000E31000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c247168eef7970db8144ddd2488cccb
SHA1 81d7ce19ea592769fad365218802197c110d2017
SHA256 72772ef11651475132d9b9cacd8a228e4bc5e3b1af021d278b436a4477fe5a6d
SHA512 5e0cfa0bc5d3657710eba884fe0390fbfba6933f3dc868eddc743d851f9726487a96e18419e7f6ab8e8d68d802c93cff87f79d3d225faa6da1fda4877b5f7b31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d2ddbc1de4946823104c885e8c6b3dff
SHA1 4e3a162a974f7325730e6b9283deb508d805177d
SHA256 418293c262cdd4f2f02e04b2c0eaaa18c2babdea625b20401efe2248c84c3015
SHA512 2acb9349868764adfcabb607f144556e59105bf0fab8ed620e913f9fe7a0f91e82899281a0f7cc285b867252b55b801182b80d158f1dfff2120361d6c9c1c14e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8881793824abe8c0a336c8673a450fc5
SHA1 3a0a08ba359cb954af16d9054b9468ed286ac9f8
SHA256 8e2ad78ffa9cb5c556e5cb039e520b90969c3f710fbc3161022625ba0698875a
SHA512 8f0e009d44d12140b081f090c4978f3220c1bcb8c34e02ae19edf798f9991d6e0b24cd731dc0f872ed8d8f8130cd9ebfa6ad8e2c81d9f4614013651359016009

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f76ace9a6428298000e8bb0a049c482
SHA1 9b41c62e7c8674786b3bd2306d50a69175dcf1ac
SHA256 fe447ff828ae7c5972116357036e93b29c3211357ac0f4d3d086bbacb7e82793
SHA512 16d946f5363e2366c66cf17ec8fa90e18cb226e3b2e7450f436b07842e7f5e92aaa4a104c7be6296bc331eecaf38473b921278cc28313134f4f8265650893942

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b4ee8dbfe36a177280d9628c3629ed3
SHA1 b49eaffca1b7c55b1794067326b2d23b7622686b
SHA256 31f6a71e9c006a61d0c55e25762c2cc8948072a80f89a2c681e54dfddb42bced
SHA512 60772b0d1a89c4902b9e572cc66635bb8c1c44acc9c301ba8b5a0f3b6c39eed71253ea040fc7a36411a2ff913b52bc6843391c067a49d55150a4a5672f63d965

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e87d504b4f47f007d2224cdce078bd4e
SHA1 abf21a814778e87c892e88abbb3cd31d3bfc21e0
SHA256 ea1fa6204481f833d6f59e77cfc0c05bdf1a3e3e6895d2af83086b55a33cda9a
SHA512 eaa4f56d4a0b27d88b552e8637c12695811b16e44cda321a04ad4b5ac7efadd1709fda32409932f0bca8269e8f28c13dbf5d8a63c2c9ab0fad50cbac296199de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8b41ac36d71df43973be535a23afc5b2
SHA1 38c5e802367d318290e8f7b4e46b52a657423e65
SHA256 57409c22e6cd42bca7fa139b1e8e73ab331030ac3cb2aed71874a80a3558c676
SHA512 d626783540702fded4aef67fab658eed51c991381c4047fa51bef319a438fa1b7231adb726b868bca96579c868c3ea16c60b2b6ffba25bf04b68cf9b9de7cb0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1452327ca218e931c8e4c7854609925b
SHA1 5f9a4aa9ed1e8b413cb3a4714041fa5c2477d8af
SHA256 4914a6c98044567ede58547aa974d604bfbf270552f08d86241a8ba706b43cef
SHA512 2962a47b5a4a6f82246c8e203e6291653dddf6df2b32148422bdafc692d41045f089544cc25bf40375dc72a54f3b684de3c954a29381be5dab1fb5a10736f4a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97257b2d913e03b415b7077a37601f1d
SHA1 7b3bdcee3f4ac2db71bac567b6fbbede85991ff7
SHA256 dc4164b3acdb10ee1b84bca403dfced3271ecaa14987afbf25fa6228da7d7543
SHA512 23425f98cbf2c1a9134ecb3ddbbdb26a4bc0997018acfa229cc68f0b38ed299d44df7965235fb68b81f38e517016b01075bc840f594694899cd8f5119f7d3d0e

memory/1724-1064-0x0000000000970000-0x0000000000E31000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90ec08d8ef36a135bdd987087da5ea7b
SHA1 338a7e5b4fc695cd9ab4c6c3751065af6b24781d
SHA256 f7c9b012bc634662528f7504c8e0fecfd9d71c1817c2d9d591d144cbfb7ca52e
SHA512 af400db59ae9e976cbacb3e35d3dae057eb64d4c93097f20b023fe85ac44e46f852c94cf8978af48d0b3c4a77f595d22167dd6f41ede85a254ccd506aa8db068

memory/1724-1312-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-1313-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-1314-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-1315-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-1316-0x0000000000970000-0x0000000000E31000-memory.dmp

memory/1724-1317-0x0000000000970000-0x0000000000E31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 18:31

Reported

2024-07-05 18:33

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe
PID 220 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe
PID 220 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe
PID 1680 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1680 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1680 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe
PID 1784 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3100 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"

C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe

"C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\837d9bb489.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x70,0x128,0x7ff9336646f8,0x7ff933664708,0x7ff933664718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,15179875038788799690,2434149693186508769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3276-0-0x0000000000780000-0x0000000001374000-memory.dmp

memory/3276-1-0x000000007F040000-0x000000007F411000-memory.dmp

memory/3276-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3276-77-0x000000007F040000-0x000000007F411000-memory.dmp

memory/3276-78-0x0000000000780000-0x0000000001374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAEGHIJEHJ.exe

MD5 9f33e620e552786cd64dd5d1707be00f
SHA1 ebd783ffbc38120a63a3df0eeedd31598d6e6963
SHA256 748538299004b87c6cbb64ec7a32d5e7b2f547cbbf75726d248b46777fce2b97
SHA512 a58db462995712a80544f1f831b182c3b5047d58784d5e73b88810e511687c2c5bd6304c120f3e03d7ba7f5883deeea3a094eef1a1967ec3379e350dd25dea78

memory/1680-82-0x0000000000070000-0x0000000000531000-memory.dmp

memory/1680-83-0x0000000077474000-0x0000000077476000-memory.dmp

memory/1784-95-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1680-97-0x0000000000070000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\4c5784ffc5.exe

MD5 7ad17f11aa6b1408999981b11078d674
SHA1 57a4856e4db83685852d7c6037bb1bbde4793415
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
SHA512 06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

memory/2556-113-0x0000000000B80000-0x000000000176C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\837d9bb489.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2556-122-0x0000000000B80000-0x000000000176C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2915233ace3b11bc8898c958f245aa9a
SHA1 68c6aa983da303b825d656ac3284081db682f702
SHA256 b2cb442f2ca27619c8df087f56fcbbb53186c53f8fd131af886ee3712220477e
SHA512 e3f1b70d39b615e212f84d587ee816598236ee6ce144d919593894fcce4a0900343a9e8b837a0d1bd10921fff1c976c84c4a570eda776fe84d374a69e7a54890

\??\pipe\LOCAL\crashpad_3100_NJAUHONWWMYMKIDM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1fe3a26bd35b84102bb4203f31e74c7
SHA1 45fdfa8433789b575eb64e116718e62e0e0cf4a0
SHA256 26e0d51529de906dd285ba48288e25eaf5213c0f0bab9bc5f119ecbc5e1b93ee
SHA512 d528db2e9b917d4fbe24b1b5c6f4cb274f4f91c84f63e5119e041fa89ae0cd01a370e314f8b6aca9d6fa958e79feabc720f4b54b3d8aed69aab11fa84cad36bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 407c34215f0b983c420c036c0623baa4
SHA1 45e6b46f86b61fda1b458b92009c1bc6e2726726
SHA256 5f1cb214b05d8414876601bb9204b525676b32663a5f3f90570773380265985b
SHA512 da8184b8222849ac4da349ff62d05a0c3102b44952b1ba927537b7bf34c0c066f39ac618a911756c9c9acd43f1d21a72f4fddfc5632c98b37ba50f1cb2074775

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1784-178-0x0000000000960000-0x0000000000E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44dbbb08bf133fbb72f72284210f21c0
SHA1 cedb7160e4a0ff496d055e90aed8671df4324bbc
SHA256 0030add8b17fc1571a6b4e3919fc29132970442f5ee3a7a66322609111ec9094
SHA512 0d26eed4f4da00aee4c2f5995917b4b4e9028857521133f1cd7503c3f61173115b4dbe492c3c218609302e034562acefc678ea864f2559d9ff56649617d5b378

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f3a532991c2046d88979213df11104b
SHA1 c05a45109a99b9bfa8b76491bd05c559ed454728
SHA256 d9b8207c41ef98d56711784df054b68d6e4fbd75276120660ed5d618f0e0d5df
SHA512 0d8b8f6d7c98b04ef896bebdd80fdbdddd666e3911fd9c078e121d753b3db9a8f09bd6ea549809eee78e04d5845f77566a25af86e1dacd2fd6e05d366946d1a3

memory/1784-201-0x0000000000960000-0x0000000000E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9f38374a792d7390033fd1e400a253b0
SHA1 fa2a77f248c57a636e857a0a1719421b53a1e51f
SHA256 958c45de46262a0b1394fcbbdbf25591dce317b071909d9893a523801da8d926
SHA512 3f600ee524fa0a9127b5d222f144a3fdf44df9162953757d3ac885eb9c81bb9d7ed81a4711833153185423d22ce927a63f3c2f4234905df742037458b435589a

memory/1784-207-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-217-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/220-220-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-221-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-231-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-240-0x0000000000960000-0x0000000000E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 742eedb966fdec7d680ead231522048c
SHA1 7ccb186316c04d62120ea3fde58f0355b62def14
SHA256 6e65e2b941a8eda31376574d83a7294a330935d81c99b4e872fd549742f007b7
SHA512 9e5c29120284fe9c3eefe4c33951e60489da4fa58f454ef34d6d50e16eb58560b8f2a527ff95b1d8a215edaf4a9d46084b85eb717e107c6f488b4037d7ef1f07

memory/1784-264-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-265-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-266-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1892-268-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1892-269-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-270-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-271-0x0000000000960000-0x0000000000E21000-memory.dmp

memory/1784-275-0x0000000000960000-0x0000000000E21000-memory.dmp