Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-dzx97axbqa
Target de1d8c161d81ba79c888fef77c75db93.bin
SHA256 45a7622a9f1064a1ff4b53ba411424d8b0c4d7eefbede24869f67d6901c2e8d4
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45a7622a9f1064a1ff4b53ba411424d8b0c4d7eefbede24869f67d6901c2e8d4

Threat Level: Known bad

The file de1d8c161d81ba79c888fef77c75db93.bin was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Identifies Wine through registry keys

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 03:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 03:27

Reported

2024-07-06 03:53

Platform

win7-20240220-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a789b8515eb0d54b8fca75e5a740273400000000020000000000106600000001000020000000a10943bafb18fcb38f6321924d141a0813d447336b03f3faf934e0c4d31ab645000000000e8000000002000020000000fa2f5098ad4b3933a8a1955b0aed0cea30abd6beb71d5b29be85651360a3676b200000007a30169c4788850668de850d3cc3a59f0e959c9817db8ab0f67c01ca8f55323d40000000e4d40960fdbb3498bc5c4423dd02a21450b7138f056c3b3e08c3b216df19a929f094f11fab207bc445a08f3add73306546ef5657c44bfc20926427e705a2bf81 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426399744" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303693d557cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a789b8515eb0d54b8fca75e5a740273400000000020000000000106600000001000020000000936952aabbbb6760f8c3c9d2863b4172dcb0de45091869b74072de3f80c35fdc000000000e8000000002000020000000e036a1608b1eb0ecb2e03e11ae66d941e590c12c2e0bf1443e51752dfac01e9390000000de87cdc4bb104116d1f91559e9153bfd21bcdf8553250364c3e2e913e09c17fe899183e6617c4e7a9c7536ad0f6552f7de744989e8d65c17bc70d668825a377f88906f0e2994fb73ca6baf76473ec25cc952db17af5b5841daf2a7d79e52d959640c39072e986ebf67e2261774309d6c33e2e76b31b462596d36060af591426b58ad8dfa0f3d155f28232d081be2e18140000000286d77384641f62f8f3c32c8f73c510826c31bccb033829464be74ee90d36811dcc29aa0f3b823d1be6069fa1cc8699e01267210c5e75bba9b1156ef38c9c358 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD8BFFA1-3B4A-11EF-8F92-565622222C98} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe
PID 2328 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe
PID 2328 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe
PID 2328 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe
PID 2676 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2676 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2676 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2676 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2992 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe
PID 2992 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe
PID 2992 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe
PID 2992 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe
PID 2992 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1776 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1776 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1776 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2488 wrote to memory of 2080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe

"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe"

C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe

"C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\eef3d48c85.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2912-0-0x0000000000E40000-0x0000000001A33000-memory.dmp

memory/2912-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2912-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2912-62-0x0000000000E40000-0x0000000001A33000-memory.dmp

memory/2912-67-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2912-66-0x0000000000E40000-0x0000000001A33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAKJEGCFBG.exe

MD5 6b40c1ad4eb4763067fb1cfa75f8ce61
SHA1 297b3ab03063c43f5e4e752efbba3986e2245e22
SHA256 8ecd9ef4ed16ada01ebf877fd6911837d50003e004b0f18d48e07f347c710230
SHA512 b639cfdca983bfad19bfd54b95197e2b8c8868e7c786cec6520a61864f6571473873939b35fe5aea847d7073135df94901b1b929fbab6c8c5177626cfa65dc1f

memory/2328-71-0x0000000002250000-0x0000000002706000-memory.dmp

memory/2676-72-0x0000000000B20000-0x0000000000FD6000-memory.dmp

memory/2676-118-0x0000000000B20000-0x0000000000FD6000-memory.dmp

memory/2992-119-0x0000000000F30000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0aeed427ae.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2992-141-0x0000000006910000-0x00000000074FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\eef3d48c85.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2232-150-0x0000000000C00000-0x00000000017EC000-memory.dmp

memory/2992-158-0x0000000006910000-0x00000000074FC000-memory.dmp

memory/2232-161-0x0000000000C00000-0x00000000017EC000-memory.dmp

memory/2992-185-0x0000000000F30000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

MD5 03dc9656124d8d2ac600f8bf2fe623e9
SHA1 114aca2d9356fa6171f3c899f313142adcada037
SHA256 33f0cc9397390e82a7ffa099bd66ffde3dd86e5cf4ccabb296bdc23cd37ee469
SHA512 85ab61b69bcacfbe3d8fd801f5e0ca64921ef22eb6097c0a135096706ccc21038ad3910eb127a48a4fc104195d230cc75ee734e51012a8f5f0deba0a5d5f2554

memory/2992-243-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2676-244-0x0000000006FA0000-0x0000000007456000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5586ef0884ff7feec745f38d196d64ec
SHA1 b488b85164b40f79f32d6ed80e7164be3fc16d8f
SHA256 70bbd8af0c79b4fef41e5d204d6c85f18cd791847e32e0cb38030a9b03b2ca2c
SHA512 c0039cb6901263e23b97df8a9556d34da161fb0b5a45073c980832a5403f4454dd8ebbe9b2dab7c7c37269de5363ff6b68f7f74274115a9fa92f5167064e4928

C:\Users\Admin\AppData\Local\Temp\TarB2EE.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabB2DD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB43C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b079f069743b6f30902a0d6284827de
SHA1 3e93342b8e19f003d875f19632a8073140767ea5
SHA256 6c8f9686b6b16f91e64c29b52c5e03a65f6f39f467f75b0b8a4882b0ceb61c3d
SHA512 41b15ea91aaf7f7904b82315c0eda1399bf98e498d123ec6da5a9e3842b02099c860a54506cdfb2e6cae2ef598c4b69fe221011105a55c2cea35d30f92bcd1b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 806f57f1dab476f0f4f56a251d27c6a9
SHA1 a1fedd3440ffa7451c694509ffc9ba503c540f75
SHA256 9a607fe24c8e854cd7b4107b7a8ebfb4cfbbb22bbd057875f77b66de72f2a6c3
SHA512 ad2053c915572b31714454a74f3663132d966ae994d141c3ef7f171a1949f4a1d6849b7e1b9dd205810fcf830d39a0d3b587537bace360befbcbb743b5b9baa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 076884300da7d184d5f8cf80827171aa
SHA1 4e8b5cdc904b067f47f65562fb22265c8d9362de
SHA256 9bfb924ebc5366a3660505edf2e9c907c4de9bfef053e7b51b5ac399efc2dae7
SHA512 875d46c5d79f5d0fa4add407ff3a9857adc79d0aae584627a59a8d1bcaa038c684add7d1d1299c1c0cdc047fece40dfa23b3d77ac9ec43c2b7c5c00ec5a38d41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a5d47fd30de292a74189dcce4cd0cba
SHA1 930ee95009bc192373f51633f86cfc17c992ebd7
SHA256 6f3c416da4bcc675af12500c1b611519eaecc6bed1936ca5bc1a7116dfae2647
SHA512 0be20ce51b9b7e38e0ad45a60e3f9f5832c45ae1a64c9c30814a9ce4c4a8cdadd6f1c8692af038565abed86b0dbc1118718de6abc83eeb1df02750c571f989ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 749969ea5b180661d643022b9c1c581a
SHA1 a759b54769ae5238bae406e5ec9ee8a5eac250eb
SHA256 54f1a3ee251d49c42d252d414d907cefef15441cbc7bee5fbd0e51b6d4300a39
SHA512 319b9d3696d78a595a1e58039b7e95da76c7447c06d8a5eb5e415cf65c030f9fae2d40e80a88461fbc1d9ee8cfd12e13b6e45da8eba3b3ad773d171f35f88e51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bb695a14b88aff399ba8795c9895917
SHA1 f1d2c831d3f24efeaf177092644d49b3ee5840e7
SHA256 9a16d9831aa9d437a07697425bff4840c2828fa26b8b5751a55ee6b356db49d5
SHA512 df80411eaafbe4b946de9c7e5abe8dacbf0031d7bc8f8dc6003d49871496d3ebdf21118b27dec0d57a1fe8d68ed4ba87d7ce2c917338c4ef5034b7a4f4cff0d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cac096f2eaeb71fc4f1aa0415c231da
SHA1 af6d4512e77404165e08fc2d17a5a364b20cb7df
SHA256 7a58f3c4630f782d149095178d4b246b6ba094397d08737841866245ad48271b
SHA512 8aa9a21b9181a7e8c50a9975dab92998a4282ec68bdaec106d90a1ae48e529f78c65cfac5b95b8d477dee200310d5c15d3933c012b849a3bb64562510542b97c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b449372bf9ec523261f6ad31ba4e4db
SHA1 2a67e83568600d980a78a044c86aab7bf13254c9
SHA256 d04e92b16358740cdb31130be6702a977e9637412feb54fa25d2e19e81cf65f3
SHA512 e80cecc79d39e082512460bd869040876f1ce54c68a2c042ca1667a10096610339a8f52581a99403f50106653b9def30b4af263f9b28812098a0ae1606968dcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce119c6f0c7d832f6e073895a32d716b
SHA1 8d7d6d4493a050390ea6c2fb32b912e6c330b622
SHA256 2c71ae03a3deb41991c38069710eeb98a8723883052df7694bb9b53e8257629e
SHA512 ba6f13bdb8c0540f1cf4a616481ee43cead8415a58fe3228734672938c62294aeb523712c13ad3514cd5624700bc8d64e188f5421f2d8bf2cdf633adb42f61b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db2fba85574651dc18edc8c5ac398130
SHA1 0a600156038d100c7106a799861633905a5116ca
SHA256 abc477f12b2917f5e298ca4358d52d218219b9fd40cfb23c9c7cba324df4f273
SHA512 6a9cbf9261f5e106a84b2ff3a5112f652bf2a696d5f829e18d3f93e5cf9eaac2314f43568640ea56cc10769c68b9b937e0be1d87333176a00d674ead16cf778e

memory/2992-720-0x0000000006910000-0x00000000074FC000-memory.dmp

memory/2992-721-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-722-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-723-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-724-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-725-0x0000000000F30000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb41a56d0a60ed9d7dd9212f4722a7ba
SHA1 6c33ac56f78420bcf9b0cea2440e054e9a62f2df
SHA256 38b42597b5293facec3c73b027138791e1194f657d8e65b2765deb9558dd41f0
SHA512 473e182d6bbd63fa14c6a056f827cd45721660b8ebcf27f414fec77b26ace0eb27073ba3887c46f06db559059786814e3cfdcd07db9a342f1cd7a31e61e20aa6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49bbb725e3eaeeff50011e3a20d75803
SHA1 fd3eb1e7df4db8ee4988faf07e014d30dbf9a241
SHA256 03e3e1b2815f795d8cf3688d509ef11011f28b55e53a25506a3b1225b086e330
SHA512 365858c4270e7b270ae5b7a848be8a7b15c8da897259d7f39209663b120d6aa94c43cfb7a3aed882b87b9829d0f44974dfc0d0b46c226e73b25563c59bcbe7c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 28d92e11586511bc067952b3d942a525
SHA1 fa9b571cd17b05c26f70677ab4c77c72e55895c3
SHA256 05a967d1318d22eea8988fdca35ba0888a4abb11d8ae2a7c31289cdca8299c9b
SHA512 d432d1d3b720f59956109d93e81c9429c3f118b7320f0b8e61fc7d64a4378e6a8ca3faf6e6c15eb4546b9d1ae1f5c0a9bad5541201d5aaaf1b24dd86b449378a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15d22da1f0385b585457b73620c5c507
SHA1 6d0268209efa73809ca95617f0eb19059c67689b
SHA256 c9ecf886849bcaf6f3bce46d61b9c16d7c76af6f1644335bfea7866d67944946
SHA512 3c2bbf7aea717e8fd795f966895af501b6db5b04fc4f61373a0283a83e053816bf7155e367dcb22410bda7c78eb565fe199315a09617fa43c88b620e39c2050e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc177dbde9f5c77e76eaa8aa22dd2b84
SHA1 cbbd888990e1a77859d8520bfc95973df01c999d
SHA256 30aa0ab039c72774f072efcff27a5aabfb1402ec749dc9b51f93f19714846f3e
SHA512 7748c37265c1e5bc8f5cdcb438dfe08b7276e2f6c4c6112440ba15641d9a0a55346698598e04e4c0659f0929b4b39a84b75813c9ea40382a7f96544171b5040c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 925ae5543a97520e7a87d1f5e59e8d33
SHA1 95f22b978660e10ed928540bedd92dac1ea9256a
SHA256 cec74c87baa7ae87c5ad249ccddce301159391874cd8a9fb1d5963a1bd3d927d
SHA512 dcd5fc3cf2f3a4e79bc5b2beef34d9f7b9d9ef80ddf94ce659623bd9427fb8a03f8358bc88f9d154dca6d77c81fe51c0578a388643f20fcc9b49561736cb55ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 983664ca355d88bb7799bc205346b907
SHA1 0e80e22ada684f559387ad8e51e6af6edf4df63d
SHA256 2b8cd1f2807a6ad8d51ff894c2638e9186919e9cbad89d1b38462bc50f2fab8b
SHA512 b8e5e133653263e69c4f8197117d15606c6753ba2262c454715980b3a694ef29b7db8b8b34e99e8660c423270c06c726c3fe08a90cc96f431b605bc370482c4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85624a82a4d2dda2a339e1a456f67438
SHA1 977d369874402839d38cc6caed5f5452902c70fa
SHA256 b3e9665fdc0507bc104c4cace12ca4d134a5987c39d571f861190aef1f6c1206
SHA512 a4ca9a7decb4cf86a0aebcc6b9bcf3a0f03d2a7a76c915124c7929fc2809f1f04c02879559a8166d30459fb7d5e2a311aebafa952fff00c9f7e78ee7b36530fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64d26bbb521e000fbf01b9ca7637315c
SHA1 1e7f62e0efdc635c119ad1b4ee13ef5e9373ca84
SHA256 4f7364a70d19bf823595293ea3f17b591a9ede2ad63c948a07e5b801f0c418c7
SHA512 e4359f6e0d5fabd660beeca8e3bd1d1174854c23459962722dd8a544115620cd1be4e6ad4e685e156a0649eced172fe39133883fe7f5ab69fefef0062217fb1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 fa17e7a4664576eb02fec88ecb8bb1df
SHA1 2ca7ff17808e1b481907b47cd3bf5dbd7240c524
SHA256 4d124359cac3e630aec9039c61b8ba8ae2033a12009ae580402d31caa137fd3f
SHA512 972bd76e7de856c752444e7252e10f8d975f533af399b25d9cb0b44ac96ca43f6fcbc4ff5b90c105e821ea977d9d8c0c5d5576189bb53290ed297d166ff2c4f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a00f2863e48d480e1f3d0a3e14d2c74
SHA1 f5334dedd56e9ed16ecca82470776ffded7a3123
SHA256 016bb9bd2b29bd3e3e4235b8754d625ebf535ec7dab07fda5da492173efe4f62
SHA512 ddba15156db92dcd5fcadfd70f0bcf78ca9e44d9b2a7f15c9acd5bb5e90300943b7d53b629b979d767b9c0f88d4e580068f87beda9a1af5d4d18e1213dfb6cbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b75917485558e75a1823b761996fc80
SHA1 091b4c81e9996c78e4a0c82461053933bee406b4
SHA256 6a2564daf9edf10456a288b69a18c403fa63fa84afdc999c578132dc7e526fb2
SHA512 f7b076a0e11f9838e33c1d8d2fc3ccf46ceef08003872999b5dca64715514962f3ac9f5182b0eed7bb655e6316abadc12169e5a222076949d9fb2dbd721fdab1

memory/2992-1318-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-1319-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-1320-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-1321-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-1322-0x0000000000F30000-0x00000000013E6000-memory.dmp

memory/2992-1323-0x0000000000F30000-0x00000000013E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 03:27

Reported

2024-07-06 03:54

Platform

win10v2004-20240704-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe
PID 4644 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe
PID 4644 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe
PID 1500 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1500 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1500 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3644 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe
PID 3644 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe
PID 3644 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe
PID 3644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe

"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3008,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1028,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe"

C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe

"C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\943aef3acd.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=4792,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=2456,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=4248,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5632,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5960,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5952,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5696,i,3027467512973953085,11878940668304988630,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.142.200:443 bzib.nelreports.net tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 200.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.142.114:443 www.bing.com tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 114.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
GB 92.123.142.114:443 www.bing.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 92.123.142.114:443 www.bing.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/1504-0-0x00000000007D0000-0x00000000013C3000-memory.dmp

memory/1504-1-0x000000007F450000-0x000000007F821000-memory.dmp

memory/1504-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1504-83-0x00000000007D0000-0x00000000013C3000-memory.dmp

memory/1504-84-0x000000007F450000-0x000000007F821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CGIEGHJEGH.exe

MD5 dfe196399a31537eba34a064ad241ed4
SHA1 7950f573ddba95ce66438707ff0dd0f7438416d6
SHA256 e6b0f4fe04313f5c3a7d384fa4423016a2523e79215398210d66d0483842c9b1
SHA512 92fb95962f38e64d26e2889d8aa27abbecf6d987dcb6ab3010a5a00c4a8c4ef8b4e86cf6e59bd690c5153efa465255fb4c262f7398642473d05e7fbd198a1a52

memory/1500-88-0x0000000000FF0000-0x00000000014A4000-memory.dmp

memory/3644-100-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/1500-107-0x0000000000FF0000-0x00000000014A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\13bcef463e.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/4796-123-0x0000000000BD0000-0x00000000017BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\943aef3acd.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/4796-134-0x0000000000BD0000-0x00000000017BC000-memory.dmp

memory/3644-172-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

MD5 746a519a6c32127c50b5b3aa3e02d757
SHA1 590bbf5b013caba2ef4456d00e8018669f0eef26
SHA256 6399a4ac6631de9c75169c0d2100f948ae2189891aefc99e9ea0be8ae016fd49
SHA512 bc9dde33d4ff4cec7f21b59b634e26d503d0c4293f5f91066030c3b6418493ab2d9028ae0a844f4706836c97cf1ea8d401e7323c685600bc4493852d7326fe1a

memory/3644-184-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-185-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3652-188-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-187-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3652-189-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-190-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-191-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-192-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-193-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 c010f992e0e48592afd84c46387dba0b
SHA1 3345c74ded5a6efd20f3e9ba906bf8666193f40b
SHA256 d0d9d00eb8cd289616f33cd0a15c0ac8262b17de983809a6ec8f1055e7b386b3
SHA512 9a845e77026c5ac0dc579a7a7426404afc00ed4ff81c780b050cc3b59a23905bcccaca8b48b56162949c9bdb472f478e15afc0267799e2d1eabd50625e3ace6f

memory/3644-199-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-201-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1868-202-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1868-204-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-205-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-206-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-207-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3644-208-0x0000000000A80000-0x0000000000F34000-memory.dmp