Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-h325rszfpm
Target 30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe
SHA256 30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b

Threat Level: Known bad

The file 30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 07:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 07:16

Reported

2024-07-06 07:19

Platform

win7-20240705-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426412071" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b000000000200000000001066000000010000200000002e913d2b6fc91d20faedcfb237e74179356c47bb3b259f45275b0197e0bb9b9e000000000e80000000020000200000001aa3f86a33444930d1a8b65959069dcf9dee4ab697bc2b49eae48dd073bc35d990000000d8a528134ac013d226a629deb3f06d64a8c895d568293557548fc38b3a80de704b4dced9b04ca1c11f555bd8033af2e7a73e09e86e85de0382f305fd30b9015ec5afd2194066e8e920d8d2a4ad039ddf42180dddc37c307e06da49f80464d48d57486fbfddec87088d16eff8deaaffa1c790cbac30dcacac5eb558df2b49a338a8fa20a5d1a5dbeaa32e01b95f4467ad400000009c3c77841d7432352fbe77be95e95505b1261172a5c8ba1a678e2e43e420a80a58c038cffac6e32a3e54a5368f45f182460e4be39de7893017346bed31fb5a94 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2AA8A71-3B67-11EF-9297-6205450442D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b00000000020000000000106600000001000020000000313637dded91e1a8ce01d7e6998bdb98b96cc5ca54f2c55a0fbdfc7c42285fc8000000000e800000000200002000000090c02c7ae9007000d65dad76f5175485a27fb5ceb60368e146a855dcb89bd706200000009dc018689d60c9510f51eef94eb11a51af904b72a3d6bb270b6dbbc09566cb23400000000dfb5f8370cb884c504a7e8130e3b7a09f9b075bd9e9b52396d3a71cb95957a8e7442b1034488fd59d705eb4ce7e4f5547ef0adadeb2ff0bd3434ad5118c2827 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202dbf8774cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2340 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2340 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2340 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 3012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 3012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 3012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 3012 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2888 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe
PID 3052 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe
PID 3052 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe
PID 3052 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe

"C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\d2ad9dd5e2.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBAEBGHDA.exe"

C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe

"C:\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2340-0-0x0000000000820000-0x0000000000CD0000-memory.dmp

memory/2340-1-0x00000000775E0000-0x00000000775E2000-memory.dmp

memory/2340-2-0x0000000000821000-0x000000000084F000-memory.dmp

memory/2340-3-0x0000000000820000-0x0000000000CD0000-memory.dmp

memory/2340-4-0x0000000000820000-0x0000000000CD0000-memory.dmp

memory/2340-15-0x0000000000820000-0x0000000000CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 c2197d56f08530af4a35733cda8cd2fd
SHA1 ef37d065f5ab7acbe071150de940778ad7e80bb5
SHA256 30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b
SHA512 cd4fc1c8d4043c52b0f190d3d0f7ede9e2f184e16b3051cb3cc2a55d4205f011f53267be6f41c2cac28c9dc998ead5f8aeb1847c038e66018ed3378a640c1f98

memory/3012-16-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-17-0x0000000000A01000-0x0000000000A2F000-memory.dmp

memory/3012-18-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-20-0x0000000000A00000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe

MD5 de1f91ae5c55b1cbbc6d6561464d7d99
SHA1 1d0d10896ee940549c1b70ac512935e1179932d2
SHA256 6bf4612c1b4d71558e998e0761e3e4b4481c89ae3827622e86a81f46c08d7332
SHA512 cea1d5db20760dfca9a9b9e11358c19b53fe7c24e52aa41ce4981a6b0f76337420091d7aa0bbee250a7fd987c123d6fdb5147777ca1b56691bb2d7b83c979faa

memory/3012-37-0x0000000006910000-0x00000000074FD000-memory.dmp

memory/3012-38-0x0000000006910000-0x00000000074FD000-memory.dmp

memory/2888-39-0x0000000000C00000-0x00000000017ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\d2ad9dd5e2.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2888-102-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD7VL1X\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mr225z1\imagestore.dat

MD5 06f0623c7e77e936e078600f7aa19c22
SHA1 d8b605940c9ac2379dcaaea70c8d1751a491a690
SHA256 360061ac4fb6cae1dfdda0aa0beaa8ff016bbca5abfc84d3232ce2726845ddb4
SHA512 44e963ba84fbb0547feee876b796add9c75454eee1670bc1755df53d7e7a5ba096cec4d2867ed2181d3ffc138594342b9be760341be7de2036349240e86ec48d

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3012-173-0x0000000000A00000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2CA0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab2C9D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4d0f3d5273e39c9ac65c6420813b987
SHA1 0c08035b2f7a2c23dec8e1cb532613c8f954e2d6
SHA256 8c1f54dd8672a0cab327c31dea17e31601c941e208abaa259f08dafdbdfd6430
SHA512 9a19e2dc5a55c2c5749299fdbae8366d69038ef0e72621535dde9ea096554831ac2fbca0e098340e798068353357d8c79e034fd655df8744b1ff60a62b61e75e

memory/2888-237-0x0000000000C00000-0x00000000017ED000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 859bbae61703a4342dd3e9f287f488ca
SHA1 edd3cf0b25c4efa1935f411ee0aa2aba1731226a
SHA256 68f5f7458f2e8ea5709b22c8be7d22a02caf42bc0c758a7fe3305954415742f2
SHA512 f6adc57552733650df89f86ba890215d25f3fff5a1c44cf0b95bdcd4de4131c83eb719200b98678eec5360acd274901de20296608928b451d8ede349f5d02989

\Users\Admin\AppData\Local\Temp\FIJECAEHJJ.exe

MD5 d08de3a0e58a16b544c3d739b2a5598a
SHA1 f400d5d976ffb48a349a2c813c9c5723e7175138
SHA256 a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07
SHA512 ad3090320ff57e870e78729bdc6fdab476dc60bf65cfcb8fef3a6417c0341e1f0298e467c3bd742a8f5f6e30ffb022130ccabe0eb903952ea70cf954561c886b

memory/988-315-0x00000000002C0000-0x0000000000784000-memory.dmp

memory/3012-314-0x0000000000A00000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16a92e598f087d2740386663b66caf15
SHA1 cc7ae2d10c5db63e441617c8981ec94a264b75d7
SHA256 247a2e7ceb3ea9cc9523d657387e0eb0329ba0ee7c82c60f393d71a18bf010dc
SHA512 f86d37e024949fe823f4801d61a8199e5433810ec3dd2e071793fd7a182d0a9789fa4dd1e7b98bac663b8868a3638f80005b0a1c8a0f3facc91e389740f9f9b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb0a90425c2665ca219d6b4bd6368b2e
SHA1 178943d659dbb0e8182f5f919877adf28fb44acc
SHA256 2df3a59c12f81b62a652bc570638ff6a45f00ce027d2e72bac0189d1ca83dfd8
SHA512 b98504cbaea48ab5450b2363ce1ea119a546a1a708f3358239c77233eea8a9e15de8795ab2d72f3a6ba7c5b36206f3049d5a87fbc54a25a0c0cace694c936039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f3a0b40c041bfc60766c4aab63fc976
SHA1 15e50874c183a6bb134e11d4a3a3fc56973adace
SHA256 7f69ca9f6fc1a6827dda4547c5d2121311049ddcf859deba6ec738910b36a316
SHA512 4f7a943ec8ee64e3c2072f1cf0a5212d5b7987bdc3b2573f9673e1662a419298aff2fed885510bc1ff275d5e38ab047ee9f3a7e38655b9aa2e0d2b4ed0586cac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5e3c6cfd06c9b61cd22c1f5f39f270b
SHA1 a99dbfe57e11b2a2f605c80787b466847a9fe3f1
SHA256 8b507e83d668ed5cb06d92f5391ed0e0b8b5fc14203f96f25b9cdfac65eaa0b7
SHA512 879cda414ea669716379111442c843b9598a1fd91d41cdcb548af073881b76a41a6d010704b28384fd5aad86e85a5f36fa6ef81645b4c93543bf8a51c8ece1f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6616e395e4acce00a9002a6fce3c4ff8
SHA1 31b828573323871e33c2918326744be7da95706d
SHA256 9a8bf6d43d1a1f44cd8a2f7e65ee477ff08caf7a9dbb7594d29b9148f26cab91
SHA512 a94864afd03088407b55a9bac3130040bfae751d0ed45ce397a47072d9f8651752683cf8f67e881f97fa73f5d916594ab4c0a4157c55dcec35504bdfbe9114e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74d8b0b6ec2957341362456a9168a1a1
SHA1 5b1d2780fbc08bd543ce1a24833c3caf0534ec10
SHA256 ff2273251f7cce71ddc4feb43bca95e46b2fcc25afaed28c00c30fde56e082d3
SHA512 289aa283b80b06c6ccc3150b379c2a7282abe8e3783176be8cee0b3e6fff41a1751863ad57a58073fd49faf7c791d772dbbd9ea70aa405ce58dbf4b64384984c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 055cb08dab9ae4f3a1aa659e662310e5
SHA1 fb3902b4424b0420dbe9ed4c3ad5c11c5eca40a4
SHA256 a4f54696748dc5e1c38ebe6c12c373286603ef81361357b1281542b3613b1775
SHA512 b00627083558ad52d87760deb7cbceeef9908915abbc02373afe3f68563df03226d43f84515d40fa896d3cdf9f960c5dea2e92b35daed7c5f96af36535111232

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ef3bbcffb0d75c863edd4cd0c6a9778
SHA1 58ef9ccc3301d0f649c1efa7097328386fec4702
SHA256 7ac434e74f47faaf3a0ffc0a4e1236e569a3eecac68d3aaf4dfafe5a9ab58505
SHA512 d07412c47739bdd9601a473e3e1f7b24c260fd53ebd4c258cdd6f8f4aee58cda7351caba00e881ea4a429f43c026863b355d1949bb6d1bdc2078a6c67daf4a8a

memory/988-659-0x00000000002C0000-0x0000000000784000-memory.dmp

memory/3012-663-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-664-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-665-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-666-0x0000000006910000-0x00000000074FD000-memory.dmp

memory/3012-667-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-668-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-669-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-670-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-671-0x0000000000A00000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abde195a7082865aef22122747da11ef
SHA1 7b0d0a15c88397bb86a639402c5344cec3e77553
SHA256 76e967b7f70ab9eb24d0bb2172d482f4a9d860d8cb8975039453c5016fa60dca
SHA512 4b6a8723500630738c07b9cd352a4fea64c4df5dea897325b1742560da787103e9768983f404e2b40bc2a57168ccda499f63f450265c2b4fdc0c9a163380f25e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0d901a5e9d45d1a6475f9f630228ad5
SHA1 bac900a4ea5bbab47f568aa96800452da441207d
SHA256 cbae3bbc4eead22fb1ab2c3a8da120f2da0b8a48456bee7e24e35beb1a443c1a
SHA512 5d5c0cce7f8b15744ffaadc444abc5fbb3f46b26682ec9550838cba517619e110a468f046015847fbf5d7596f0415075b43a0f9f1e8fd0afd0940cca70fb61d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81715c6eb2fd30d38111913344d1aeef
SHA1 976eb90dbc281fe8be65ca47484d5f66c7b3b2a4
SHA256 6b8f45f53ff0b67e0372c677ef529f0bb560009eeab50e023458b253082ff1d9
SHA512 82fe859f57e08dec0004125cbf4acca2937fef05289b0e629f0ebaecdfa2f76b338489f0a69e2fe6812e63dc8e50274faf462244498a8c811168fe320a97b958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f58997ff018210a81f4a0404b206b229
SHA1 cf95f5e37ba8852dc5f5c9ba1322067e47fbefc5
SHA256 2700e1e29b78bff127dbd25319cad2b488ab21dc9456f6c92a9a4534bc2dfa1e
SHA512 8e965a2092914574cd4cba4c4d644e5e62ee4cc8700c55da174d0a4820587a1ed0301a6faa9a398e107970f185d9f2d305a25d9d682d05ca521cd993c8cffa56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc8ca3ab09973d4b1aaec7921286c1d4
SHA1 0913c94ccfa13dd0b7f324dc2351222e1470fe02
SHA256 a4da58920b7c500967a87c13c07ab2bd97349a23a8e1359faa576e562eb3ba58
SHA512 b9867239d1db95eac41ef0c91c866adb9c9047adc03f6654a83092e705ed158f06922e453ff591d45f2bf331ffd4ebb866857e869b2065130e42ca01e398d33c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89abb63c5a1bc8bb52481946100f1ef3
SHA1 60133cfbc40ba328540a055ab0c83747e49212a6
SHA256 e1633bea568d336805782cdff1b7c34a941957516f54e3c0249782d841250725
SHA512 44cc0a9e75dda25d9072b081c256107f531329b9d9bf43f508f836fde62c57391f72c67eb3946e96de83b0bcfaf9802a2fd39c17b4cc24fcd551ddbf6b1b6b66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c249b201ee50022671651eee5b0a23b
SHA1 d2a447b8e4dfd168d89bbdaa20670dea00970c2a
SHA256 fb4dbd896319d30d408cc4e24b6d2eaa61c0531ddbd40103e2c8b6326c295163
SHA512 d77ab0bff417cdde7c9cfca7338eb296e1ceff7fa1da10ecfea36b5ded62744531d6f75c6bf2904dc98a5e9584817c980f4b731cea2489ff237dc6a22da6c0de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aaca83d68c0cf69af532a16e8778b77
SHA1 c6ff92cf0e5e905b89d23f544e4acb5c98f313f2
SHA256 fea86e6476b9fc5fdb4d97e1eeff07f9f4d9edbbfb10f6f7d35c7994f6f47ef8
SHA512 8756d6b33d686f35bd2c6b6034c681c0efdfa9f55bb8e3b7af65420ef210c2426cdc899177b32cd06531f110de07f7045c300a446fe31a4d6b6b01ce24d0f7a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 018d0ef09683b8041e2210c2dfa83bb2
SHA1 18aeb71779ce54086d9af170ba20949697be6d9a
SHA256 395db7a8e399b4c3bbf2b278178e5c09692c38c7e5d6b39d5f15e9582f421fb5
SHA512 3168e2c61b3115137b9bfa4fa125859a8f0858a88e36bb748b18be8fae358b5ab950e467b83440d7c56e67984af93bc7b2cf75ac7b982977ffb2144321cc5a2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b67f4a9ba615350ae110d621e49c600
SHA1 ff2e62825a85012a05bd9709ce35b9ad80ed57ac
SHA256 eee1a093761856442e62c5075a592845338340a935d67f536c68874fe451ac04
SHA512 84e325c72f8b89c979efb873263ee7c5e5641144dc28ba5d635e8990f384c29c2a11756d4f77e036ecefcdfef1a0e6d0a4473cbb7814273cd5c9fed898adeda7

memory/3012-1104-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1105-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1106-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1107-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1108-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1109-0x0000000000A00000-0x0000000000EB0000-memory.dmp

memory/3012-1110-0x0000000000A00000-0x0000000000EB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 07:16

Reported

2024-07-06 07:19

Platform

win10v2004-20240704-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 5096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1432 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 1432 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 1432 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe
PID 1432 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3136 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 2264 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 2264 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe
PID 640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe
PID 640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe

"C:\Users\Admin\AppData\Local\Temp\30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2908,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\2bf5be7740.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4948,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4868,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=4864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5188,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5668,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=5688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6076,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6008,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3020,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe"

C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe

"C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"

C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe

"C:\Users\Admin\AppData\Local\Temp\IJKJDAFHJD.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5712,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5716,i,7362247189940554640,1583793531684159627,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.140.42:443 bzib.nelreports.net tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 88.221.135.25:443 www.bing.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 42.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 25.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 95.101.143.202:443 www.bing.com tcp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
GB 95.101.143.201:443 www.bing.com tcp
US 8.8.8.8:53 201.143.101.95.in-addr.arpa udp

Files

memory/5096-0-0x0000000000E70000-0x0000000001320000-memory.dmp

memory/5096-1-0x0000000077444000-0x0000000077446000-memory.dmp

memory/5096-2-0x0000000000E71000-0x0000000000E9F000-memory.dmp

memory/5096-3-0x0000000000E70000-0x0000000001320000-memory.dmp

memory/5096-5-0x0000000000E70000-0x0000000001320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 c2197d56f08530af4a35733cda8cd2fd
SHA1 ef37d065f5ab7acbe071150de940778ad7e80bb5
SHA256 30eb98d8a7a54537b4352f78b44be53109f3cd82577fa0c9b378bde020e2890b
SHA512 cd4fc1c8d4043c52b0f190d3d0f7ede9e2f184e16b3051cb3cc2a55d4205f011f53267be6f41c2cac28c9dc998ead5f8aeb1847c038e66018ed3378a640c1f98

memory/1432-16-0x0000000000160000-0x0000000000610000-memory.dmp

memory/5096-18-0x0000000000E70000-0x0000000001320000-memory.dmp

memory/1432-20-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-19-0x0000000000161000-0x000000000018F000-memory.dmp

memory/1432-21-0x0000000000160000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\fb70ea72c4.exe

MD5 de1f91ae5c55b1cbbc6d6561464d7d99
SHA1 1d0d10896ee940549c1b70ac512935e1179932d2
SHA256 6bf4612c1b4d71558e998e0761e3e4b4481c89ae3827622e86a81f46c08d7332
SHA512 cea1d5db20760dfca9a9b9e11358c19b53fe7c24e52aa41ce4981a6b0f76337420091d7aa0bbee250a7fd987c123d6fdb5147777ca1b56691bb2d7b83c979faa

memory/4852-37-0x0000000000BF0000-0x00000000017DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\2bf5be7740.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/4852-49-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1432-94-0x0000000000160000-0x0000000000610000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4852-128-0x0000000000BF0000-0x00000000017DD000-memory.dmp

memory/4852-133-0x0000000000BF0000-0x00000000017DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe

MD5 d08de3a0e58a16b544c3d739b2a5598a
SHA1 f400d5d976ffb48a349a2c813c9c5723e7175138
SHA256 a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07
SHA512 ad3090320ff57e870e78729bdc6fdab476dc60bf65cfcb8fef3a6417c0341e1f0298e467c3bd742a8f5f6e30ffb022130ccabe0eb903952ea70cf954561c886b

memory/4436-138-0x0000000000330000-0x00000000007F4000-memory.dmp

memory/1432-137-0x0000000000160000-0x0000000000610000-memory.dmp

memory/2168-142-0x00000000000D0000-0x0000000000594000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/4436-148-0x0000000000330000-0x00000000007F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

MD5 57121c1c421cc3d193bfff1b753dbb4e
SHA1 5eeba4e23086992652e92f38ad154b36db2bfcea
SHA256 75356c13d55acd71e054613d4b894c5ec1cd346b9265a69bda845cd406bf9f9a
SHA512 7fea14ef2f7f118cc7561c4c350e3a8f6908960b6e5a1b2ddd7b83386da04d4e2ee8431b70fca44f7dbddb31706d739be972c5c467833db009b57877c55532c2

memory/2168-154-0x00000000000D0000-0x0000000000594000-memory.dmp

memory/1432-155-0x0000000000160000-0x0000000000610000-memory.dmp

memory/232-157-0x0000000000160000-0x0000000000610000-memory.dmp

memory/232-158-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-159-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-160-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-161-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-162-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-163-0x0000000000160000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 f3f27ec4151283c2654d14a5940a98f8
SHA1 f03e311affbe2f1f5e5ffdafc14b770d26225077
SHA256 7af1af26930c9d03b40becb19aec40e0e6edcdb74aca1f12fb8c6231bbccd815
SHA512 f9a495e61673c12376ba3ab15bf33b5825d35812528dc125f0ee14afa0eced60f02ffe5e329c96521b9922662ffff69bed10eb3b8fdea7eee0607f088c1870e0

memory/1432-169-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1820-171-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1820-172-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-173-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-174-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-175-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-176-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-177-0x0000000000160000-0x0000000000610000-memory.dmp

memory/1432-178-0x0000000000160000-0x0000000000610000-memory.dmp

memory/956-180-0x0000000000160000-0x0000000000610000-memory.dmp

memory/956-181-0x0000000000160000-0x0000000000610000-memory.dmp