Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-a17y8stajb
Target 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246

Threat Level: Known bad

The file 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 00:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 00:41

Reported

2024-07-06 02:00

Platform

win7-20240221-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04d28ff47cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29A63B61-3B3B-11EF-AB41-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426392944" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065fdda44a9293146b00ee17a0ab2010a0000000002000000000010660000000100002000000045753de2d3705047a91925a9a58cfadae9875843ee1f5e5b54324389369f4214000000000e800000000200002000000007c7cb82dde3e2c8ac521db4b835cd357031b883ee2afcc616213e9f7d124627200000006b8f9ba4d03081b0214eefd70b7876c38efdf9bd45f7b6020e69c94ba20b5ac5400000005d044e7845c259667d23d7c315664aff358904cb93bf78ad5c4df42b60ec2df8cf66d58b46939865da8fc8dfd9859d7b503e875c35757df1c5749e0ed23ed7b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065fdda44a9293146b00ee17a0ab2010a000000000200000000001066000000010000200000008dcf0e44143f93590c2fb12250176253026743d8484c2c7d16c7f8308bcd4ac2000000000e8000000002000020000000747c12cdb52065cc16421fc95483cab13d59107c48369779e6855952cf093af890000000376f12621554546b501db410e6d3bb64611df057021f51270c02850dc6e76ed1d98a264580ca972af9f10b9b4530e83fdc8b9d0f9db781f76a46f4edd00f387f83cfe29a505b4dbf7805ad5d073157df39b778fb1783f5f1b1a3e24622e36f81d3fc4d89f605c18331dcae30977ab5ea32dccb53a3141399811eae34fc831da38ff337a54ab0af9ab7d37c4057057810400000004199eaf26a354ff7c8295f93409180ba2659be89d02ef4d296b0015f6bc3af6cfb451e636acfa0cb4ed8f56be1adbdbb72c0f09dfb57994097b76c5f73cb099e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1796 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1796 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1796 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2592 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe
PID 2592 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe
PID 2592 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe
PID 2592 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe
PID 2592 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1376 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe
PID 912 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe
PID 912 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe
PID 912 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\133684543e.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGCBAFCFIJ.exe"

C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe

"C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1796-0-0x0000000000DC0000-0x00000000012AE000-memory.dmp

memory/1796-1-0x0000000076F40000-0x0000000076F42000-memory.dmp

memory/1796-2-0x0000000000DC1000-0x0000000000DEF000-memory.dmp

memory/1796-3-0x0000000000DC0000-0x00000000012AE000-memory.dmp

memory/1796-5-0x0000000000DC0000-0x00000000012AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7ede7b1ad45d029e9528612dbb1e39f9
SHA1 fb3beb2812cda7c3e308d1db9c82320bf781a0b2
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA512 d79a3a6a283fdb8856f56dc6377a57cb9e200c3de1a1b6a676a446d39d7c8b1124a7124d778b335b2eb24dffc6988f7f8fb8738fd60be6045ad7f05562d9bf59

memory/1796-15-0x0000000000DC0000-0x00000000012AE000-memory.dmp

memory/2592-16-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-17-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-18-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-20-0x0000000000C20000-0x000000000110E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\70765f0dbd.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2592-37-0x0000000006C20000-0x000000000780C000-memory.dmp

memory/2592-38-0x0000000006C20000-0x000000000780C000-memory.dmp

memory/2716-39-0x0000000000920000-0x000000000150C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\133684543e.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2716-80-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

MD5 bd728c2dfd6f6b7e0150b9619de0f054
SHA1 4c2b3517885b6006ea266040dc16672229d7dbd3
SHA256 8a4b8f2fc302e017e57dec566612c940a692c4aebad5a370a23166e3c9dad1b7
SHA512 c24c59b2870a36b83f6e28a4f2ceee46ca4eab75402731662cf3b2ed23cabad299bb24b4a1556579e91de692071d44e4f7ac0da612bb762d7d11e62054a7231b

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2592-190-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2716-195-0x0000000000920000-0x000000000150C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2276-231-0x0000000000B10000-0x0000000000FB8000-memory.dmp

memory/912-211-0x0000000002120000-0x00000000025C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f7a97812224610c298b9ef2496d5eed
SHA1 e9058b287740a3dfbc9bfc2dbcf4dc8418f658fd
SHA256 d4a6d16a15ef5a97c093e7ed877e84a1b6c5c4b3edcff8c04678f794ddf1d6e9
SHA512 f45b9321c6e5056fe1a0c149c85f8325589f31ab1795ae1ae3289f1be5bb2f4bc5282d2c6605e9dd97229c3d28edc69f820541ea5e5ed2a0cade010033f86162

C:\Users\Admin\AppData\Local\Temp\Cab47DB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar47DD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar48EC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc4d3c4bb44c6574d66db92f36800b5f
SHA1 c02454fa2c33ff9f581c295170c7504b301a69cc
SHA256 1ee891a47fcd85ba73cab238aa6071e8831babbc09a99626e4ca08e9bc204983
SHA512 6f9bd695a6be79fda730d5924999d07accfb8fa4bb54f16b3b0e1abf8d78aaffbb9fdadf1274f84617a2065a216d5206a1e7223384fc4f5ce6fd404b636ea5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74033209153afb302b6b2445ad68c4c6
SHA1 1186ad264c00399f2b65e43d02a3be01e9452cab
SHA256 c3c41c031bdf3ee462a04395c215873278ea8d6a70542d6bd2f96f60860a7837
SHA512 6eb48e54d8bd85bce467cb63af9a6d4c3e308ff76d1bc07b6b0d3f3326f3732dd30fb100bdb37cdbd70f326c95cb545cbae3d4dfbdb95ce029934ace33cd9930

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4573bb412604ffc83ee3cb41740299b
SHA1 a0cf93d54b35b3f29c68a1e7d3087b73cd774290
SHA256 22eed1fb53cb3e9ac8aa8554ebb111436e1f201fbf936e2a9db15725836d777c
SHA512 532b7b6aba68c32d9bdc972e8034841fad356d7634aadacedb1aff18a73b3ef36337917816fa77cb13577901f8c7dc07fc53f0c56a24419d0f72db89f187fb37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27d3fd87641c86b01dacf5cf93bb849e
SHA1 c155126415e3183b7528d52c60a6642b3741143b
SHA256 ef68e1024c597ddec48014d9621dc9d38cd23ced86d19ab7d08b93bdbcd1fc70
SHA512 331cec0206c387fc67f4b0cbeda1c35033b489873143928fefe970c04f88d6c7afd7ed0e4306ea6a98bc6e92a5efcac6a638f82d5b5b7c6393834ac3546d24b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24319eafaee72d567e3269782a30b330
SHA1 8118f09c04a50a6ef3e3e11023995eda5e7292c8
SHA256 76c6886cbc0e1234ed56033b792a0345895b4ec8391b119174461d34c439424d
SHA512 39c877f8f28946170ad42511fe2140bba400e5f3c035c7628c23c85b1479541ee59c22bf919689d64fce8655bc33d36f2f8026e8efdd02c468dbf009e5b04cd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b545e124fc89480dfcbb00ad41ed2b4
SHA1 32bfcd6d00c054f3150a583576321fcba857e548
SHA256 b47ff1dd3482e973540d730cdaf9e88619621e78ee9886ce34abbc6f1de55910
SHA512 99eeae941ff8766967e322910c1fcc505fb9b0eb9b98fcb70b24673ad4bbf1c66becd5bb6439191e0279666be053233575a0b314a12848a2a5f54be996476ff8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54bbe1449625e2d2d5894b7995f82d5e
SHA1 8fc8b71e80e1c76dbfcde619cd9e4166a87bd682
SHA256 4bb4edcab4a92043903185e1e476fd34d2c6e1f2da358350f561ecf350286063
SHA512 3bd7ae40e693301e17e61ad6babebc21a5187b3d21e11fbfec5d0b6707dae960d65c7260f69d502c8029640cfb72bdcaae59cd6897e805c9cbc223a108ff5dc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 487506b83a7fef257e5e1665a6295933
SHA1 16e043aeb3fe5fd93d93b01027df80736cbf2b24
SHA256 550f91fe0dc39ce9582d03f29a6e76463cfe00a2d8c5a41052aa7ab580f4010d
SHA512 db2327f90b43b7ef8657d5b4ad2880f3d1dbd26446bfda26747c679a98ac052325d3cab8d44369aff273e6d54b41f6f8e02e65190516b1fc5865d3f291572dce

memory/2276-534-0x0000000000B10000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6af2520b4107677b973b5ebf38281bc0
SHA1 ed2559fd4ecee212d78d3e8a91480970e97253ce
SHA256 d2cf13c651f83f5b7eba2630c7bae0cf2b8b9a3a5a4a4ac61f6c3652008e26c4
SHA512 5bfd29a24c9806a3dfd322e098d6ece6c6d17f8b95f82a611d1aacfc21d0bac623ef2bba13f2fb5bbb8748229606e51fe04de959e2be1e19afd2c387074a20bf

memory/2592-712-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-716-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-717-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-718-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-719-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-720-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-721-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-722-0x0000000000C20000-0x000000000110E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff66f6cdafbbbb9c5c2d2fdcdbd3a6b6
SHA1 d6c96b9ef2927c7ad328c949f5f1d3f1f7509516
SHA256 26fa624b540c1868a45b8eedb362777a1a7442847dfcd193fdffb2fd19f0799f
SHA512 e409f66890bdccf5ad2bb0993b796b485f7f7f60e05f69b4e27718bcafc14bfc325b6d4a605402bee06c640a444248bbdeacacfbb61b1fa455cf3e4a261b8d4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad18d0c57a0cf0cf4493601d82c91cb0
SHA1 9d88cfdb609c52db3375e05335fe56994f088036
SHA256 eb4a332d1503e27e3930abb98f1d5f685089b9cfb99be56a926ee5bd202caa1f
SHA512 581871b00a309640335f5d48550e6532cc83338bf8b8bb3c02e95606a6c985109af085006f636b754d3ad2c44035a99e9d8ac7e5a435b69d776d1c6b63663263

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 39e19279ec48a7b264010b175d51cf17
SHA1 417511004995c8225e347a7bbef849cbe50da447
SHA256 fc5c663a673ace4420605695111c54d15717717cc1ac876bf5dbe1a6b9e58571
SHA512 72672945bb83efd8b0401f0ea85597bbe8ee6b51b3a085eb239e26cc59b3e9596d4ea19c0ddb15d890a34ebf08b246994cc6c406383c2e04b6accb6927cf4394

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7a86b40abd216c30d6f097747ce47a6
SHA1 309e99c50575f829baebedb0965f6e494a9d4d64
SHA256 c08830e7a3c8600fae8bae1c1656444d7ff96888a2cea42826c6f1f6c43044bb
SHA512 cc3f3f72b3f2342bbae33d872abb7e3920b6a57a5ab6a41228475229df0dfaeb8fa606169e0352979f39b858a59f8b5f6e7d7946a399ebcae39cc4abf1001e3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2482bd83c70899baceb31b45576521d0
SHA1 d8845f04872d2016b3485ccc5008335599414ac6
SHA256 626c26301ee761611a8d65dfefd14e467fde9dec02b644960871fa00b4868380
SHA512 1f0f3e49f251e6d8193fa67de4c6527881317eb2d3c836d58091fd18caba2824538d5ff5b32c33dcc933b057b58746a4561688a517ed0d172cca5ea94bcee3fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82e0e3e10d1b0d2789b6aea17fc2ede7
SHA1 2d4ee8c3cf9780b2fad172e2d3d2097073638c73
SHA256 b0b3cf1c6b58cbff0524381a1f75fa1c86ca4c31c5001e7eec2734c23c905f3a
SHA512 bbb5c759fd9941c5b506bba188202c224daebd1e76243f3d115e4486f0b1dafb6e501836e45988fdf28b621e1363775bcdd2592794e1acf6f490041edc83a2e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c0fd8b0b27b169063c17295a8cc63c7
SHA1 7fef39be225c3f002b2670d0fee3322b8e36b108
SHA256 eaa41a4f04f04acf2b1984e024d363bc7c056afb68e95921b0a6ab1cfcfac344
SHA512 3f700979a21b737041328524308883e142e988f7c6c5607ec582d3597e20776cdbf457575148b1771540d9a20eee3431d19b748c5d4ad3aefff5dabff68ac3b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e95074bd5c3ab1680bd108849a48280a
SHA1 bd35f12b5b4b7aad1d1a209b777dfba8575a48bd
SHA256 5836d4ba040b957b74fdc7ae67558900b15ff20dce4448d5cdc373f11199a015
SHA512 c394aaf48ecd5339fb75f2f65461fab90d09aeb8ef13503a377f61784846a7c7300375d58d85afc724c0aede474c6e94d7f01fcfb284905483183599f4314ed3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 ff01353adddb643a88d3674b03144791
SHA1 4d978c04c99e4103fb63e055284724cd8292b6a0
SHA256 d9001f30cc1ac924abdda6b1a8b3e84ae3b503de4a42b38dcb1e638976f3f8b6
SHA512 16e6d9d94fea5580c2eed6d5b32d1d1b05402142f58510ea9de8bb6a666d610bac4275940291fcaf35b6f15296afa37b1fca8426c7cad9db07c440348b81d6a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae6bfa95c5740441ec26d154665572bc
SHA1 f05bdc7940282f5bf201c0aa923433b2da9bbbfe
SHA256 2c498458f5c4a0ae6854d9663afe80c0632f003f6e30c48e777be18c0df2c899
SHA512 52b547692a4d08b92282c3212d1fd3e2556a6e340c7cf09c7ca708762c38c23c5632298ba6931f59fb38fd72b0d7c4784a20a8e152a19dd3815fa6fee7d91c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ea70442b03e0d972cbf29be1e62c138
SHA1 4e1eec1532e2d836de953ef18248bc477b19adbd
SHA256 d3ac3ac14842c2d29200d3135cfff10f684413bd1efc5e25876b6bdb81196cd8
SHA512 82c4895b00d9141542232bfea29e107dd45b0da9572a5ecdee5868d67ba9ac1ba3330479feaf2e138c931bd8b46f8f6e3783b01d42eed450ede7b0872e6eb6e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c12ac8f63951691be28d97137ee077a
SHA1 9630c2a385dc816169c769a34e6880540b3378fa
SHA256 0db2e7e37ededf4d467bb09596b531b3f8b2e16ebca18b89fefde2e7ce5aa8ad
SHA512 a33e8c2c0357f87a271e9df9ed2e5b518777ab3df144d8d60f4211a394f5b5fffbb4291cd49cf3933a143c58278201e604149110ed313c7564ebf0b16c1c2aaa

memory/2592-1315-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1316-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1317-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1318-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1319-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1320-0x0000000000C20000-0x000000000110E000-memory.dmp

memory/2592-1321-0x0000000000C20000-0x000000000110E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 00:41

Reported

2024-07-06 01:58

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe

"C:\Users\Admin\AppData\Local\Temp\9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4288-0-0x0000000000CF0000-0x00000000011DE000-memory.dmp

memory/4288-1-0x0000000077304000-0x0000000077306000-memory.dmp

memory/4288-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/4288-3-0x0000000000CF0000-0x00000000011DE000-memory.dmp

memory/4288-5-0x0000000000CF0000-0x00000000011DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 7ede7b1ad45d029e9528612dbb1e39f9
SHA1 fb3beb2812cda7c3e308d1db9c82320bf781a0b2
SHA256 9a16ee9b5c06b9076f0b35f5e366334347302ca1f6650756ffc9548901639246
SHA512 d79a3a6a283fdb8856f56dc6377a57cb9e200c3de1a1b6a676a446d39d7c8b1124a7124d778b335b2eb24dffc6988f7f8fb8738fd60be6045ad7f05562d9bf59

memory/4288-16-0x0000000000CF0000-0x00000000011DE000-memory.dmp

memory/4568-17-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-18-0x0000000000071000-0x000000000009F000-memory.dmp

memory/4568-19-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-20-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-21-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-22-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-23-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-24-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-25-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4104-28-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-27-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4104-29-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4104-30-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4104-32-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-33-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-34-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-35-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-36-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-37-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-38-0x0000000000070000-0x000000000055E000-memory.dmp

memory/624-40-0x0000000000070000-0x000000000055E000-memory.dmp

memory/624-41-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-42-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-43-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-44-0x0000000000070000-0x000000000055E000-memory.dmp

memory/4568-45-0x0000000000070000-0x000000000055E000-memory.dmp