Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-dmjahawhke
Target 9c923d102f7688ef4e407b893fe8d448.bin
SHA256 9cebcd6e0d4b99ab06d1498029c30c7d8e2b89dc2b1dad3f809e86ff5ca22000
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cebcd6e0d4b99ab06d1498029c30c7d8e2b89dc2b1dad3f809e86ff5ca22000

Threat Level: Known bad

The file 9c923d102f7688ef4e407b893fe8d448.bin was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 03:07

Reported

2024-07-06 03:56

Platform

win7-20240705-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000ad2adeb9b021311490fcfbefd91b089227ae1bb0f61fad243b54ea14ee9ac014000000000e800000000200002000000082b8b9912dd4a623e66adf857b9d3184bc0678c6be68ec342828996a69ce2fa520000000e39e01105554a3318dceb1787c6d363e60f3c1c3d889626e0e684f80f9780e19400000004b9894c7bef8efa7ef89597cae0716e449fb3bdc6c98b1164ceef7e927580a57ad741528550180a079fbabbe7f6a391c2d8445e534aaed45998dc816ec2fde1a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426399944" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bf384c58cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000001b9a506aac9c41a8ae265eccb395d122d185e361d64e69a6c539983f8fe2635000000000e800000000200002000000001ffaab47d401fe86e40dd5881fecfb96f294bd6d674a3ceefcd21d651d4bdcd900000005a86d1e705f8400c75ef38452a29bdb448d0b674c7c2c17f0cdea6b938f5b0989a9fc4c1752016a2f1f55487f2697845c8dae5b903c81dec3731cc821a2b8e5a61a0e7138d38570d9814ab7089ddef29e60177c94653a4ab833ef29408c6e73d165e7ff81ea3017350049b1fccf85b18ea7e6c7cf00c20ebb8a86214a8dba24bd42a5dd70409d385a5c4440f729668ee40000000c06758ddfb974878b6c330f8eb5f7de12acb340fe5c7322a768ff657b481136d434ad2361328515d7a15506c0dd4c32081265c050da780e937049955c6f8a986 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{76B1DA81-3B4B-11EF-B585-FA51B03C324C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe
PID 2628 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe
PID 2628 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe
PID 2628 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe
PID 2928 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2928 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2928 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2928 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe
PID 3012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe
PID 3012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe
PID 3012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe
PID 3012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2236 wrote to memory of 1552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2236 wrote to memory of 1552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2236 wrote to memory of 1552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2236 wrote to memory of 1552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIJEGIIJDG.exe"

C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe

"C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\9530cf6734.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2136-0-0x00000000002A0000-0x0000000000E94000-memory.dmp

memory/2136-1-0x00000000002A0000-0x0000000000E94000-memory.dmp

memory/2136-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2136-66-0x00000000002A0000-0x0000000000E94000-memory.dmp

\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe

MD5 dfe196399a31537eba34a064ad241ed4
SHA1 7950f573ddba95ce66438707ff0dd0f7438416d6
SHA256 e6b0f4fe04313f5c3a7d384fa4423016a2523e79215398210d66d0483842c9b1
SHA512 92fb95962f38e64d26e2889d8aa27abbecf6d987dcb6ab3010a5a00c4a8c4ef8b4e86cf6e59bd690c5153efa465255fb4c262f7398642473d05e7fbd198a1a52

memory/2928-101-0x0000000001250000-0x0000000001704000-memory.dmp

memory/2928-116-0x0000000001250000-0x0000000001704000-memory.dmp

memory/3012-117-0x0000000000110000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\b086682dee.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/3012-137-0x0000000006C00000-0x00000000077EC000-memory.dmp

memory/3012-139-0x0000000006C00000-0x00000000077EC000-memory.dmp

memory/1672-140-0x0000000000F30000-0x0000000001B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\9530cf6734.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/3040-178-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-177-0x0000000002250000-0x0000000002350000-memory.dmp

memory/1672-182-0x0000000000F30000-0x0000000001B1C000-memory.dmp

memory/3040-176-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-175-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-174-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-173-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-172-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-171-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-170-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-169-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-168-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-167-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-166-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-165-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-164-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-181-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-180-0x0000000002250000-0x0000000002350000-memory.dmp

memory/3040-179-0x0000000002250000-0x0000000002350000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

MD5 c6b6f6ecc0d7bc66631553a627a8fdb2
SHA1 8da05529e26f572b8d97670ae05ad1ef6c57cc9b
SHA256 f1e730486949c4eec0fcd75b15dc89bf7c99ee567f958bee4f3cbdde3a0e3919
SHA512 2797870f2a1cf0da212f1f3b6d8f2045de04abe63ed6c1756b65e3f831ebffd941eb4f594403fecb4099e5ba80b13c5c405873b2011e2465a3757ce5c4d8a769

memory/3012-237-0x0000000000110000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar330.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab32E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5166222af304c66255e99fdb64e11b5
SHA1 db9704502f04f3dea48fc2096362ec7aff18410f
SHA256 288d5ec8627ab3cb8ca32b941003ae4e11ccdad1146d226c80e9ef3b935ed3d1
SHA512 fd2715e78ff8e192c55de11535f48979979ed95764c729af8a9aaccde2ca54e4a85c21deaa75f1448fdf4b9bed0eaecb2eb2f38910b0a3afeafabb8ae32f4111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44e4a48b3dd2c1b97f3a33da4407030e
SHA1 207d04d4e3652de333b18dbd51ee6c2c0b9c9840
SHA256 acc4b09494645964a851760f75a399606f9d0863909ac3846f036c857b881867
SHA512 26a2dc5c043de5f0fbe66b1db867358231c8ced0f3aefa159427b3262101b48a2c605e60c69470305f5b8c2e4fb001427a9887fe9ffee27a4a5fd0e5b3a45111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ece16becb57c4c4b453fbf0cc97f365
SHA1 d6226659881bc48f70d00c0c5db332142b79a896
SHA256 2b7589f9514704efa104cfe4fe3ff7cd8d6a4b9b320b4ec1597a98291ee26d3b
SHA512 19c360eb1a5ecb76ffd82ede4f9e607a537babc95207f507f2e95c6c439c5191cb2295c06a8e1128c776c65d0c5fa9027ae38d2699b6f18dc616d13bd1494fa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7a8da415db2e3ccca0889b105288bf2
SHA1 01dee1f6d9c265841d11cd31d7e57f0995c8baab
SHA256 598800470387bd2ef4fdd26f3ba37d7f72574c64d3ddef5065c9f9c33118c925
SHA512 42c54a11878406bc62c3d58ef637062adf097fd2188f9f00f28b3c8891f73dbe12b7d3ea65eec90e32437844e37d4a84b45fd6c69a57714084ff43b99b74bde0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 655476ef74e0975445bd89273fbefa62
SHA1 5562e3a5301bd0eeeae36a1be9524c8e3f75de4e
SHA256 280fd1c6a36013cc15ed7b6e63efb19ec1b710009a6ca9270edf917613637eda
SHA512 78681bf248f7c97b5ff30677ef8e1b5df2fd2c82ea7635f23a56a493eb4d433871341eb9036b61aa811550c6aa502c5cbde68acc9472916133324b6ff5d84cb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920416b2e473186e438300cd426864bd
SHA1 c210e500d0865372dbb57ab318f0a3bafacb8137
SHA256 0de74d5bcc579a6e40d44e095725d48518ad1e334c5bb3df33fa815c7288a425
SHA512 a57f04ceb6dcabc5e27e3d6a79bf5eabe04e0ffc76a253381cca97c88eac0bde541042acd6ede98b738b299b487dc52f92791c96c8cfdc4e4674b1ddd2aec4ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00a612c57f68c4fd535bb72645211f71
SHA1 80723dbdb3de1c6360120d734e794b544b20e539
SHA256 4e9d5d1332f7891f600fa5497ba95fe5e5194ff71fac9d566cf7ea9e5ed14a1f
SHA512 8498b7d6f5cb9ff4f0edd7eca2af94811d8f61d1527d749efbdda64dd995ba86ff5827fd1b277cd0e82f00da933b9b8f9c5115c8531bb8522536a38fb7e8984c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd6e1d8d8685fb90ad25bf90e88fecbf
SHA1 ebaf46b6f13a73bf643727e1771efae822878c6a
SHA256 931b9da7858c0178e454938ac78e65b3b023717b49e81239d26a521cf20eaf62
SHA512 94eecafef0c3b1e6a49ce05c9266eb526d866295b56334b2e549f9d36af985337a25f84bc330cfeb6e3f5b0ade64014313f320c0f1a97b9f6442bac1f9360bb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f38eeeb7fd22da91782520523c84be7c
SHA1 431adde25e663ae5603a9c87df4814a41faf9427
SHA256 5b457fc34a95543cfe1a5aedf281b52f65b8cad18db4c2a81e0ff9d0f064f092
SHA512 4329c9cb48d647ea4e3ce3ad4e7c4fb4cfe667d04afe8b45885ab811069a4d7c55af4ae3f0df659bff3ddbc943cf62e3d0580005bf1f9c0d0cf5dbc625d02572

memory/3012-666-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-667-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-668-0x0000000006C00000-0x00000000077EC000-memory.dmp

memory/3012-669-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-670-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-671-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-672-0x0000000000110000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a2c99f60066125c9beb60f05b099c03
SHA1 1896394fb272a5ba8f1b5c3f9826ea816717f876
SHA256 ab6f544252d6b35ca2bf047047a735d08dcb411a5eb4346bc357bed25046e75a
SHA512 e6fdf97d9a3673925561618c7af41cb4c421b812a69156913000fd83a10e87ad091feed773e218644e5c210d8e64c46550bd7ecc99cd49eddf1c6d7754a1d256

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e18f6b597683105c8b5c599c4c62bd3d
SHA1 98332a13c030de7800402afa7b06fbc567634aa8
SHA256 270346d3ea78cfe7432f95439810604fbed457a7f10295346b6a6637eea9d8b8
SHA512 c477415ffaee48a5a8005e5e72da9b5a1a50273f555b1efe173a3dad208f128f304c4fccdac3bd74a6f65fd9332711394925de5757800c75bf347b21852b9fa0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f87fba53044d636bf0b0669c4b6723a0
SHA1 7716726ef4324487b535878a9767d02cc64783ba
SHA256 93d97cd1ed8bc0cbcae887ad7b94418d07d04b8f4b06c563cef347916d0007d1
SHA512 515559298588d319c2e53ec0314dc81e21a298dc32fd896439068c246919910907cded02e824c0363f762c4f9058c3061cc57a219e49677d9b0f2c41775f916c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b1aeae860f91a9bbeeef0dd7d9e7d0
SHA1 b11d2497abc618d4daeb3fc0641dc1438c85e72e
SHA256 3b5594af9d71e475fa457e5e104ed005bf0cc96dcc94d7c15fb38d97372d987a
SHA512 8c2c7ad7118b1d65cf071bdb0b20ae70cd55c3bb8a7bf1813afb3ff212ad817dcd18458fd022810659d7eaf355ad24f85710048eb115c889d1e21919e636a66e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d7b95f0ea10e6b90d44eb69c2c81b40
SHA1 1cfe5728803e56455135abdf711a8379bb681df2
SHA256 48662baed71f6835206bf981b8e60a1e2e21f634424e9f8d9f0b6add8136fc1a
SHA512 6368ff61d26c5374370f990a2c5596f9ba388c4ac07571cf7dbaaa76bf04034eadeb06febce48cc21b604b60e15cff8948914be8f0de8fab5ff47a2e62f9bf42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34a982552cefffd8c2f447d794d78d22
SHA1 25047922b064f3db9c27e97c63874df01295b99d
SHA256 f2748b548894d22036e4be0e2127b386623915558bd2c09a17a4a67a02732738
SHA512 4f56c77945b7a13806894918c7e1846f19a8df8f07f73a65a6e843420634e6a1df40ac8347ce149934e26887f108dfbdb13aa7c34cec9cdad8d30e7fe4e4e124

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f1e391cfeed188eb94655b4f583f146
SHA1 5c04d484e5e1416568957c0f940c571551cc3669
SHA256 56638d8f8a992a2ae55b6044c4bfa7bd65822cd33edd14a8bfcc13e229bd6879
SHA512 9e1d730fdeb6d3c501c15b69fc1b403a94279ca300228f468a598474ae8735247358c30b294fc75810a58bf65fa07e7b65d83c700292f441b766483e8044df75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 047429b516db541bdd55f853765d293b
SHA1 c63652850c5c8973afe4dcac2ef1e89997a4d977
SHA256 7e2f2a5c1c8441176daec97ecf03689b8698b7e1dbebbeabd1e22519b88b2ee0
SHA512 7295962c61bee04bb4f5720bdb8f4c46b37120b198a293386ad04789a030ebda4dd35476b9f93b3ac93a7df33ead65731d1fdad2d9290c77db76bed7655b55fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deae494ea0215b5d6303b102ba9b2bc4
SHA1 e727644dfd5c109aec806c9c87f9808b8b195bdc
SHA256 c21ec9eba28265820743776ed8e83a1b1dd839ad9074c4d52f35bfe2315dfd8d
SHA512 ddef8948b90da0e7be7a93dcec205ee225eb7124000c051d4d10b89c05829f5f0ecf5d10ca9a70a1a9da1e77704f83d5f21caba5f6931ded2f09f55dffc2b52c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c4b443ee35043022ed80438e38caa14
SHA1 5f44b8ab9cf55032bdd30620e19e11daa6c02ec3
SHA256 8b47b7d5a2deee354bce24072b698178ede8500fd4fd49443412bd0a9e94e9e8
SHA512 22f02cd750a19d01e8249fab6038469263bfcbb78090c40f581d4b219b6efa7d09b9de0edf7333f13043eeb9deb710151979ac9744126b14dbeb4f7ad1545dbb

memory/3012-1105-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1106-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1107-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1108-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1109-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1110-0x0000000000110000-0x00000000005C4000-memory.dmp

memory/3012-1111-0x0000000000110000-0x00000000005C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 03:07

Reported

2024-07-06 03:56

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe
PID 4592 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe
PID 4592 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe
PID 2176 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2176 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2176 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2024 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe
PID 2024 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe
PID 2024 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe
PID 2024 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3696 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 3620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3412 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe

"C:\Users\Admin\AppData\Local\Temp\9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAEGCBFHJ.exe"

C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe

"C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\76d55c3044.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff097246f8,0x7fff09724708,0x7fff09724718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,9263247645542870697,16299285774734037016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5764 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/3992-0-0x0000000000170000-0x0000000000D64000-memory.dmp

memory/3992-1-0x000000007F1E0000-0x000000007F5B1000-memory.dmp

memory/3992-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3992-78-0x0000000000170000-0x0000000000D64000-memory.dmp

memory/3992-79-0x000000007F1E0000-0x000000007F5B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIIDBGDAFH.exe

MD5 dfe196399a31537eba34a064ad241ed4
SHA1 7950f573ddba95ce66438707ff0dd0f7438416d6
SHA256 e6b0f4fe04313f5c3a7d384fa4423016a2523e79215398210d66d0483842c9b1
SHA512 92fb95962f38e64d26e2889d8aa27abbecf6d987dcb6ab3010a5a00c4a8c4ef8b4e86cf6e59bd690c5153efa465255fb4c262f7398642473d05e7fbd198a1a52

memory/2176-83-0x0000000000C80000-0x0000000001134000-memory.dmp

memory/2024-97-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2176-96-0x0000000000C80000-0x0000000001134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0e83f6daba.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/32-113-0x0000000000700000-0x00000000012EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\76d55c3044.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/32-124-0x0000000000700000-0x00000000012EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f060e9a30a0dde4f5e3e80ae94cc7e8e
SHA1 3c0cc8c3a62c00d7210bb2c8f3748aec89009d17
SHA256 c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79
SHA512 af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

\??\pipe\LOCAL\crashpad_3412_LHWWGUINGJOLZFVS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2957ace22826fc5351eb08fb83300227
SHA1 eb9f969ecceadb5f4aea271ff3d2edc050c62746
SHA256 e04582dee0554c920f582b0cc72507f34f3fbb7ce4d5dd756b9c6eed8528837c
SHA512 cf765ae28081a6772968cfe427140f7a314201bbc2c3a6cf17b602a47ab0f49fef1f7e6f2ffedecd4f014cbe706148d54434479952f1460af8f43b86cfc8542e

memory/2024-169-0x0000000000720000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8a21dc0a25b6c8f60b1447cd0c0c7e5d
SHA1 702ea0276f1adc079c5dfb0b694a549807f06171
SHA256 bcfa4acee70a646095e604ae0a3735a1194e15ddacc2b5f21a7c845ecb2aa47d
SHA512 1647da068794d4f6b24f2a8062df52564195ec9ad610080d1dc324efacf68d54096800b24c63d1e9e7fe80226b73017141161a34cd02165c82a37f86a61ecb0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd4737fb-028c-4777-9148-85fd93b0dd9f.tmp

MD5 3fd6d71c980f62260c190d3433130459
SHA1 de7f0e4d1aa90d7b2da4b64b3a95aa17a8c0b88b
SHA256 1e133e733de6ad0375e649fd82f68eb3f0f1949f9b8137e9beb669559a925c02
SHA512 04549751682abc105c5145178447db01ad6e544466708516f5caebb97e9d4ec0bb23151e25ebd401e5bc4cb0feca3d641e6b1f6a6dfcf819acc94b4aeb83835c

memory/2024-210-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-211-0x0000000000720000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5651fba288f6a3af838d5648f8d3326f
SHA1 295b2e1ff1c05980ff3be9118deb24cd0a7f5143
SHA256 240bf87799c60ad74850e581eddf46e3e443f87d390478e4722b0f7d88287a27
SHA512 8d3870e531ece7c4d779c43983b93a0a21691e5fb5a736707c91a5337cf529cfafa72240a57916865b1ec8c084b520bc4bac651510b1a823070cec400efc5c69

memory/2024-217-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-227-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-228-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/3836-239-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/3836-240-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-241-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-250-0x0000000000720000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2c8f2b6fa1a8a5121f690dcc2a3553ee
SHA1 65ce216655f3d11413f9aa6e37a01a5f4df6ed5b
SHA256 83a8fbb5b8ab7b92dacddb23a67ffeb787f8daa6eec579b2855aca39ed73b68d
SHA512 ac1558e16a0af0b28b7ef2b48bf3cb66f6003fe03ec364e8674c940f0fa3080a7bacf90a670914908399e6dd642414c719d3fab04e123adeaa1859decf3403a8

memory/2024-274-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-275-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-276-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-277-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/1608-279-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/1608-281-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-282-0x0000000000720000-0x0000000000BD4000-memory.dmp

memory/2024-285-0x0000000000720000-0x0000000000BD4000-memory.dmp