Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-cbxhbavemd
Target d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe
SHA256 d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5

Threat Level: Known bad

The file d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:54

Reported

2024-07-06 02:10

Platform

win7-20240705-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe
PID 2556 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe
PID 2556 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe
PID 2556 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe
PID 2260 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2260 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2260 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2260 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe

"C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEBFBFIEH.exe"

C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe

"C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp

Files

memory/2812-0-0x0000000000DD0000-0x00000000019A6000-memory.dmp

memory/2812-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2812-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2812-57-0x0000000000DD0000-0x00000000019A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAAAFBKECA.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2812-67-0x0000000000DD0000-0x00000000019A6000-memory.dmp

memory/2260-97-0x00000000012A0000-0x0000000001748000-memory.dmp

memory/2260-120-0x00000000012A0000-0x0000000001748000-memory.dmp

memory/2160-121-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-123-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-124-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-125-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-126-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-127-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-128-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-129-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-130-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-131-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-132-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-133-0x0000000000DB0000-0x0000000001258000-memory.dmp

memory/2160-134-0x0000000000DB0000-0x0000000001258000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:54

Reported

2024-07-06 02:10

Platform

win10v2004-20240704-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe
PID 3672 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe
PID 3672 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe
PID 3604 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3604 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3604 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1904 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe
PID 1904 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe
PID 1904 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe
PID 1904 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4436 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe

"C:\Users\Admin\AppData\Local\Temp\d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3448,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEHIEBGHD.exe"

C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe

"C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\1038aa8218.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=4972,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4988,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=5484,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5564,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6096,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=6008,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5712,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.142.200:443 bzib.nelreports.net tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 200.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 184.28.176.56:443 www.bing.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 56.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 184.28.176.56:443 www.bing.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 184.28.176.56:443 www.bing.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/2392-0-0x0000000000F90000-0x0000000001B66000-memory.dmp

memory/2392-1-0x000000007EE80000-0x000000007F251000-memory.dmp

memory/2392-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2392-83-0x0000000000F90000-0x0000000001B66000-memory.dmp

memory/2392-86-0x000000007EE80000-0x000000007F251000-memory.dmp

memory/2392-85-0x0000000000F90000-0x0000000001B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FHDHCAAKEC.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/3604-90-0x00000000005A0000-0x0000000000A48000-memory.dmp

memory/1904-102-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/3604-104-0x00000000005A0000-0x0000000000A48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Temp\1000006001\7d7814c56c.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2252-125-0x00000000002D0000-0x0000000000EBC000-memory.dmp

memory/2252-126-0x00000000002D0000-0x0000000000EBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\1038aa8218.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/1904-180-0x0000000000F70000-0x0000000001418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

MD5 20f8e0ce5068045309c5f2a11304f694
SHA1 1ee06f7a03d9279d0896921d8f12bf943ec9b59d
SHA256 5bc82ede5fd9b74864eb1ae7a24cee6b09f5c8c7dfafc4111ddfa04cfe1b9a77
SHA512 0ab8d3d813f4a2afc9d2ee9b6ffa93bdfe9b95e0256bbb76491a8042560b88498c0d4769c31a418be89a40b5348c5cdffde7a1e8bde19c4db18765c487d0adf3

memory/1904-186-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-187-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-188-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-189-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/2976-191-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/2976-192-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-193-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-194-0x0000000000F70000-0x0000000001418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 7f0a8703e2b0cdee28bc5c950a229628
SHA1 abb8d48e2159576571deca9e408a4a9271fb2a67
SHA256 a7e17119b5618becb579226a307fa73826746616870aa06f6c1b230f04b9b2b2
SHA512 06cbf0a0cfbc2c9c27802eb56999558255edcb717eadd966cfcc7abb375c3f81c7b494c706231a9d28400b36ea463066b94b22d6323f7d669c7aa67f9634330c

memory/1904-200-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-201-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-202-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-203-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/2360-205-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/2360-206-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-207-0x0000000000F70000-0x0000000001418000-memory.dmp

memory/1904-208-0x0000000000F70000-0x0000000001418000-memory.dmp