Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-bmb53stfpb
Target 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616

Threat Level: Known bad

The file 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:15

Reported

2024-07-06 02:15

Platform

win7-20240704-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000002616fef2f91c874c8ea443f9320be7d944abc2726481cf8b0f988ecb9cfb6dd6000000000e800000000200002000000039f16c94629b460501d92a99984391e517a5dd2c8664f09a8bd9f1cec5c5b6ca90000000da738167d520ac10d5f39ec9b2f19caab2b3452b3a207b11c0faf97bc15754d8baa2f8e2ebc2fc4be763b740324a535952eba1813fdfa70e97cee307448f0ab9a9ac0790e2ce3fc3e4809184977cb7cbc9bad196a2e1de4aecca985e2f8c68fd2e099462d33f804e23f40c93486a51a8f4b8b939819fcde44d60daa500df38a093b7f94b6c6368d55bc55d3fc430c0a240000000ca7f993a5bd941888a3942a570f3ebc8b38814f87451587f4f2662615beba61a31f7ca1ee4e2bc1a860036e4e5cecaba82fe1dbec665c10a0563f6d3e1a4fceb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{565FF5E1-3B3D-11EF-A533-F296DB73ED53} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426393879" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000000a774ab7c569cac048de41109ab706b9a1a1f2ff39d73cca86bdac650080af20000000000e8000000002000020000000fa4f1ce34393ee9416c2ded9b44cd675c86e638d8beb909174d0b265ae9d97042000000098a880474a789d96783b9e46c4c70e7a905493746e3cf5c9be418ddb94a18899400000008875e1ac045554c0ce109fc6ac949bc04ce57cb1106129591ae955fff115c1f955036e315a22c588b2263ec5d67a645514eb32b5feaea59009a3f25029f7e9e0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04e862c4acfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe
PID 1260 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe
PID 1260 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe
PID 1260 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe
PID 2116 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2868 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe

"C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGIJEBGDAF.exe"

C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe

"C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\1ba80f57ab.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 www.gstatic.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 85.28.47.30:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1980-0-0x0000000000860000-0x000000000144C000-memory.dmp

memory/1980-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1980-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1980-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1980-65-0x0000000000860000-0x000000000144C000-memory.dmp

memory/1260-101-0x0000000001CE0000-0x0000000002188000-memory.dmp

memory/2800-102-0x0000000000380000-0x0000000000828000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBFIJEGIDB.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2800-116-0x00000000064B0000-0x0000000006958000-memory.dmp

memory/2800-118-0x0000000000380000-0x0000000000828000-memory.dmp

memory/2116-119-0x0000000000F30000-0x00000000013D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\ef0b4f8df0.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2116-141-0x0000000005F20000-0x0000000006B0C000-memory.dmp

memory/2116-142-0x0000000005F20000-0x0000000006B0C000-memory.dmp

memory/2192-144-0x0000000001150000-0x0000000001D3C000-memory.dmp

memory/2192-143-0x0000000001150000-0x0000000001D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\1ba80f57ab.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2220-183-0x0000000001F40000-0x0000000002040000-memory.dmp

memory/2220-182-0x0000000001F40000-0x0000000002040000-memory.dmp

memory/2220-181-0x0000000001F40000-0x0000000002040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ljg9kkp\imagestore.dat

MD5 856a80b7c8f130fffb4fee7fe86d5404
SHA1 99e387eb85aaef09ceeee807c25e7991554b2a16
SHA256 0667ba05559910412c708a62b87dc5c679a153770c8bb15807810fafabc3e7ce
SHA512 38e9a77b399ab7dec4188b84271163c7cb0a269da02bc8b2ecd5bdd93068dbf680111bc946f986516b99ffb35e41b7c428cc16255d54315a0882b557fddc28fb

memory/2116-234-0x0000000000F30000-0x00000000013D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Temp\CabB0CA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB0CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5c40a64a443cce294786e81ce7473e5
SHA1 90dc2802c2b28a822df3e5461a41eed2c88295a6
SHA256 570ef3aa39496556ffda947d6c85ff5e7a8182743862674688e46ab974419fbf
SHA512 fbfa49393bf606bb5ff4a2edd7a76ccffa45e544a9c60cdd239d72789af901d12e03fdd690a023f21f485292fafda56483e94fc44dac558ec6167ec02f56c8b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb623a10bad2a6758c8cde34b3579a4f
SHA1 5f7091005cf7024250fd6398ae4e3518de891e83
SHA256 60666f3c20262bc5ba5c2d8f42c92755e1770a313016292364e006bc8fd7c01a
SHA512 0318743cf6cc8a40ecdc1f111b8000b10a80cb1242c6f56d6675a4f9c19ff01eea1ba6933c5d4566892d9c757a9d7c26601b717416a8814ab51d7043678321d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0b326d1e4226be0b15bd0bfd5eecfd2
SHA1 6df0d6ae51c56d9c6eac5c31b4266ac58a2a4282
SHA256 fbab2895f2e92bfa537337c68fa6dd8cd44b89a78369d85bb2c3c2adb00c94b6
SHA512 a696fe74665a9f2ecd6e519b3a7c2bb9045618c2b4ef94690a640cb54ab6fe6da14c7a6c25ad23fd49e1d1aab8d006904b22592fa1f2422db79ffac8b9dfe0b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79ef197a025b0223426b8a80b97ac5e3
SHA1 456b1e2fb797771a6175ada38999dd065bad2ded
SHA256 e2822fa7c199db5af6db45628262dce6163802cce9e64463cf1a01f66489b5aa
SHA512 d2056fcff1a079f1dc56bfc916ba254c3edfc670c1476e4a86d6a00c655fb1b55f67db6d511b3392536cdd3c9e2f9a10a6f4e487829500c4cdee4648b1fc7628

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 495bfac8c5abc79d09ce39b2456777af
SHA1 e95dd48d66a444ecf036e9467878394bb0c00b29
SHA256 3022efd9f356f54d166cba2ccaf9815127d1e5d3cbaf4fb7289795d80074d96b
SHA512 bb1e44a7acaeda719ccdc5516b8d41551ce13098ea1eb35de2c35280f8bd3ec3100fe346e68ac96b758a8f151cf44c57fa1bbca7d7f3da2bf7e624eb1a9daeab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e47fe6ce1b9604bf1ba71deb9cf24194
SHA1 32ef8e88ea765a72e4bd2bff029bfdda454cd60a
SHA256 bab510ea730f6d4465dd2689773e0523d0d2d701b41639e70bfb6a7154c2b1a1
SHA512 8ed8960279b31278e2dcac0b4631cb65e449bf8933fe3aee28bf29c86fab3e080e729aa0f16a37dbe18dcc95786fa764c364ae01299bfa3ecef8f1610b5e0115

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c2a886f1b837ec86283eeab5ee3ab5c
SHA1 cd9be8dc647e38c4101d52a2c685671a06222491
SHA256 ba736e0da863d035a77ec3833dd1d163d331d73e6f8cf421899e25ceb1148fce
SHA512 cb9cc7b86dedf75c8090810de5a38b5ae36a0db961688c258dc316ee2625c680a0e69965d2d981f8cebb68959fa6b3dcf594ba88308cd0b824481b7848dec38b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbae09f0bb9203f5df65bd088338ca88
SHA1 c1e5da88edd43ef8bfaf119569f9bb5f0e75010d
SHA256 e975e321f66450d17d51ef7d01b495fa46162df95bdd8b3676e05d50f7861322
SHA512 63b5abaf9ccfffad5879cc3978eed4242c3baa85b353d41d09e484659643dfda2afbb4b437306f960f821716bbc48be5e5c93e228743529cfa309941491a25ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc98f0ee8b79673df472bc9ba314b7f8
SHA1 60aba6d52922998537576eb91a446ff41f165ca4
SHA256 a76fa32d40b6134c367b16321bb4696aaf0c165709ac6ce819a486c568c7d6a3
SHA512 5a7fe0127f9480e23efcf0f3de95a21ee1ccd58929056bd6c584978e65b49c45cc3ccb2944429ffe3fffce7cbaaf69ec841eb26ea6032204a3d3f578240fe01a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbab7fd69d2f097e579c8122052870ec
SHA1 0644c0245207ef96a540d4dd55c0da1133b2a274
SHA256 25aa3379879cce3abea6a496fb412f2f8d8ed47459861b2e40f525a24f5fe21e
SHA512 5aba68e352fc55bf7f8d1c5cf5661c31f32343ff9eadcb12a65e69bb9bd8c48743219a3650cd06366ea9dfa8bfa70fc5bff6c07edbb39a072b5c79b9db0f6219

memory/2116-664-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-665-0x0000000005F20000-0x0000000006B0C000-memory.dmp

memory/2116-666-0x0000000005F20000-0x0000000006B0C000-memory.dmp

memory/2116-667-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-668-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-669-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-670-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-671-0x0000000000F30000-0x00000000013D8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfef36aa82d71e750bd113af8d31ba02
SHA1 9e97fdf84d843573a2340053b90c95ece8f59ac0
SHA256 31be612a119170a6b8886325e042a83e49f54e21a7da1ef6b793eb793a5c2843
SHA512 108614369af3642e9b188624d74b0a6cdd44052bfa6734acd9fcdc2e85e4ea2e6c94e1c15f5f7e6b013cdcc4a7fc004b2620feb73e88dab9eadcfda6d00a8799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41329b3f926bd949dec9349985210786
SHA1 874110cf4f6379c0b980b27d3a632980b914fd9c
SHA256 9340d2491fddf468233830ac9073356fcaf52eee3901db4894b61a324a7b8928
SHA512 0b8c2cf95f55b453760f1807f92b2af99a752ef7b1177b823077886950f3166fc74b3cd0b9db95a0d47da57fb154bbd1cd124382a8f112223b8155ac9a983a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e79a1195f36edbdc9526eab9bd81afe6
SHA1 756c9322693a0e915aed1aea569000c48aaf9249
SHA256 72902ca76f3eebf6277397bdfd74ec3390aa9dc77497571ffa8a18652cdbd2c3
SHA512 3a6379b8938ee101c0a8759590a5a2f06fd8fa6723bff12e13340eea1388f786374d3b0e3010345efba1fb0a88c9fd774f7a6af92f36c02c5b9ccc0d3df2afe4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9e7cdc9d23c27cfa25872b74d6d71c8
SHA1 7b68165b1945dc2bc2da959937eba9eba0a13d46
SHA256 fb17b67d31e56df7d9a72d423e8a924146577d9327b285fd1659cbcec9efdae4
SHA512 1654786e4e3bea1b9e54c79fbeafbaee9d1ae6ea847bf936ba69d485ac83c22e10f06c0c3d7ef7a31f09a35a384943caf9d43d3ec2dba36c69f944f4721d8d5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 961b684439aa55b57e362b784af69fbc
SHA1 4dd26afe7ab454a4bac2b177a8703cbfd7f17dea
SHA256 82dfcdb93f9bf89971681ea278c51a89edb7f4a1fc97e064e9aa26367b486ae1
SHA512 fe9c52b08eee4c66c7c14e72bad5cf8f363cf8cd3a4bc83262f3b6dcc9c570ce5daeb9b0839d5b8f8d87c6e0eb91ee5b2512f6f70751b825d5e1d63148b4e9ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57508da29b661a33fcae55f6bffb171a
SHA1 506291f9dd5b29112ff77bbf1469bc55d1413a1f
SHA256 9259a7de75e92ea3637d06719d6ad642f5c93d8254ab08a1371b3263bfd3742f
SHA512 6e8f7ec9d614c0683a7d70848d9c2fd943db338a9ffb64e6d814a0d14e81e82cd508fbb3f7eb35f2b4484eb392eaaa8f499ed1423b0a5f6d82f1447c61b59fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7edd77a7ab358157dec630bc5afb5b9b
SHA1 fc76cd81f52afa54e7f26bd4baf2b8a366f13289
SHA256 30ea08990c93a30eeae6b53d2e1d48ea8214d2f8b1275ab3b9082b62fcd21e62
SHA512 cfaa7fd7447ff312f9ae5cf3e21e3eae5102f103f2ccfc66ed018d3493dd729efa9a865f2aaca061a53a7ea08fb07b97d53db63b5aef56f54445ddef33cd226a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de559112c6a02f81a1d20638890c6625
SHA1 e3ea65bdb92388c6db93b606ca5e74c6e532f09b
SHA256 599c6eff507e6a9fbcd530b4a7059b55a8c022682e1e3f25e8f06a7a6272f338
SHA512 e861cba20786abad21a38736b18cdd5945c6e774b4157be5e15d43f349cc0344d60263958d157bc86967b3eb3201c39fbefa45ee914b4d07834d672e62850754

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9be3679f4ab4fbaf5a3fb6afa7697a3
SHA1 dadef307186ab22d3580dc39fd066409cee63dca
SHA256 6d8701ac7eda3c3744fd0f64732c3db1f041627dc1b4110f92a84599e50bae92
SHA512 60294b58fee61548d264c3e73a43b13b2555535ac3a66420b0576f55d9bc6a9f27f7b264000c894c8b56d7582d6103e85b00a3cb8d63f3eda4d3c043ccbed2d3

memory/2116-1104-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-1105-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-1106-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-1107-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-1108-0x0000000000F30000-0x00000000013D8000-memory.dmp

memory/2116-1109-0x0000000000F30000-0x00000000013D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:15

Reported

2024-07-06 02:17

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe C:\Windows\SysWOW64\cmd.exe
PID 3812 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe
PID 3812 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe
PID 3812 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe
PID 4280 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4280 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4280 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe
PID 776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe
PID 776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe
PID 776 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 1576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe

"C:\Users\Admin\AppData\Local\Temp\441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBFHCGCGDA.exe"

C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe

"C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\6ec39edf0a.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x98,0x128,0x7ff88dcb46f8,0x7ff88dcb4708,0x7ff88dcb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,15896267809451140027,7529085434570170037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3108 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1436-0-0x0000000000730000-0x000000000131C000-memory.dmp

memory/1436-1-0x000000007F240000-0x000000007F611000-memory.dmp

memory/1436-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1436-78-0x000000007F240000-0x000000007F611000-memory.dmp

memory/1436-79-0x0000000000730000-0x000000000131C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CGIJKJJKEB.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/4280-83-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/776-96-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/4280-95-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/1676-98-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/1676-100-0x0000000000640000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\606cde117b.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/4896-116-0x0000000000030000-0x0000000000C1C000-memory.dmp

memory/4896-117-0x0000000000030000-0x0000000000C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\6ec39edf0a.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9abb787f6c5a61faf4408f694e89b50e
SHA1 914247144868a2ff909207305255ab9bbca33d7e
SHA256 ecfd876b653319de412bf6be83bd824dda753b4d9090007231a335819d29ea07
SHA512 0f8139c45a7efab6de03fd9ebfe152e183ff155f20b03d4fac4a52cbbf8a3779302fed56facc9c7678a2dcf4f1ee89a26efd5bada485214edd9bf6b5cd238a55

\??\pipe\LOCAL\crashpad_1508_THDTNXPUZKSJCRSQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b6c11a2e74ef272858b9bcac8f5ebf97
SHA1 2a06945314ebaa78f3ede1ff2b79f7357c3cb36b
SHA256 f88faeb70e2a7849587be3e49e6884f5159ac76ef72b7077ac36e5fbf332d777
SHA512 d577a5b3a264829494f5520cc975f4c2044648d51438885f319c2c74a080ea5dd719b6a885ed4d3401fd7a32341f88f26da5e3f29214da9afbbbd5ee950e8ec3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1506779cac7e1ee2a6eb1b9b3a690bf
SHA1 24b16575783599581d00768d831ade9562ed088a
SHA256 17d1dc72e6df6e46d1ecd21b79f1601d1219b1fb86dde33c89cdde669fcebf3a
SHA512 90cd40185f2af20470aa982d7efa8fa13efb5a7dc4ec78393abe9709fc798ec503780b01eab77578c5f8780a526252909f68b769c99e72933f307e4313f7022f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/776-193-0x0000000000640000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cd1da37c0f4a8e663d95ec0e25774c41
SHA1 c24ed5c39ba0f6364d03d3b9273b09ffa895689f
SHA256 d4ca3f8500e2c07bb92390e7cf050b89a647f85c641b93430fd76a8a34c5fc9f
SHA512 e49e3839ec18e7a56841f3de8a92dc7f1cf3b2db907470f632094cd1130abc70a9599dc7d4c5c06111d408cd838d1a3fef184b6d3f2f7002cc36cc537780ddc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ea3ebaf1f525a09fb53b33021c83aff3
SHA1 a041ee4a3dfd74dd03ad44f39d0814906d033cbb
SHA256 305855b6176cf759f277789c1d93373e8d63d74829d7310890570b2758faae85
SHA512 642bb47661c789cc400067a0d325f827adb9e68959d473ab780bf83936ffbe6bb77732f574e4bc888bfca5e5b7c6dc42b95c19f5178bc42df5747783ad186b6a

memory/776-214-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-215-0x0000000000640000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 24b4a4989211682054bca3e80e8db338
SHA1 9b2a828b3d7b765909d55584980ae991a803dcff
SHA256 17d61a5fb85704e956def6865c2f9b01253a42d3665b5c153bf231f5dafa14af
SHA512 e803aeb5e6141cc15c02e070598936c5c6251441dd7b521b645c1ec5654d4d5817118bddbdea63af8b7ec935e28983aaec100dcb1f15d23132a725a0297d263f

memory/776-221-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-231-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-232-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-243-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/712-244-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/712-245-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-254-0x0000000000640000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f64f8ce6e0b4b7f83e908c9170a8acff
SHA1 39de59e12d8e09fd46d9fed439757636e6f3ba80
SHA256 92a80f27bff5d536039599ba0a5b9a7c40ff3f93089133211d923937531f8244
SHA512 942f02a0acf48ad9a2591f4195a3980aade9a630a9ea6aba8e13070784b5723f46a87e10060c22f8848210c6fb5562ffdc9306a15a60c86f742c854ffdb3f13f

memory/776-278-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-279-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-280-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-281-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-283-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/1504-284-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/1504-286-0x0000000000640000-0x0000000000AE8000-memory.dmp

memory/776-289-0x0000000000640000-0x0000000000AE8000-memory.dmp