Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-hw3gyssejb
Target amadka[1].exe
SHA256 a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07

Threat Level: Known bad

The file amadka[1].exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 07:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 07:06

Reported

2024-07-06 07:08

Platform

win7-20240704-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amadka[1].exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b2cc1073cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000ee149540b1bfef7a23b40f4f41216cde3fd2911561e35f365cc03ebb04f07c68000000000e8000000002000020000000e130f2f4b7e1d9902e03659c43f24ee7146895495bf232061f21db83758dc83020000000eccc31443d00d5e5bb2e67c429e14371f8bb339bf0aca7ed966f14e9c60476ca40000000d2f1ef8782ef55f425f92643d3f0082a7ff5c6c6574fc5c1bda0ac699a37c797cfac2cf5a03c16d5a31233d4d8d9fb70c1971e9e0ff47acb3b756814fdb0bd48 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B7C9CA1-3B66-11EF-ACB8-4605CC5911A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000002de8d6c3add198ecfa7c53021b6532760e9d88e0fcdd3cf179167ed5aee2e060000000000e80000000020000200000003ae663881b3397b00856490640e433251878d32ad654f5125c1697101b57f6ac900000002b2e7e50fa7a3791699752c8fe70a24068f920343d55b09057be6c633ea48e237cfd35aae5d85dc711afe657c2580d246d8ca48dae74d7c3a3a5e963777e19edaa801df8c5d45c93c6e1e310aea4f4a7e2231c177d972e47999871e7a3d486fa06c9e091d549ea4e739e98b8256c5115213b35bda95f036f4472c894444e58692f7d513c6c6c1ba727b2bc257a052f28400000001ad497cd211b8d3d841be21728a7157ef01e61ff725d28ff67c828f6ff9dfcbf60a4e56527b085f43734116d7ef21254aaddc6f72616364de74d1d5959001772 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426411442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\amadka[1].exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\amadka[1].exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\amadka[1].exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2400 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\amadka[1].exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2968 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe
PID 2968 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe
PID 2968 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe
PID 2968 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 1560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 1560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 1560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 1560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 264 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe
PID 1496 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe
PID 1496 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe
PID 1496 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\amadka[1].exe

"C:\Users\Admin\AppData\Local\Temp\amadka[1].exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\9659d72371.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHIEGIIIE.exe"

C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe

"C:\Users\Admin\AppData\Local\Temp\JJECFIECBG.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2400-0-0x0000000001300000-0x00000000017C4000-memory.dmp

memory/2400-1-0x0000000077170000-0x0000000077172000-memory.dmp

memory/2400-2-0x0000000001301000-0x000000000132F000-memory.dmp

memory/2400-3-0x0000000001300000-0x00000000017C4000-memory.dmp

memory/2400-5-0x0000000001300000-0x00000000017C4000-memory.dmp

\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 d08de3a0e58a16b544c3d739b2a5598a
SHA1 f400d5d976ffb48a349a2c813c9c5723e7175138
SHA256 a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07
SHA512 ad3090320ff57e870e78729bdc6fdab476dc60bf65cfcb8fef3a6417c0341e1f0298e467c3bd742a8f5f6e30ffb022130ccabe0eb903952ea70cf954561c886b

memory/2400-16-0x0000000007090000-0x0000000007554000-memory.dmp

memory/2968-17-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2400-15-0x0000000001300000-0x00000000017C4000-memory.dmp

memory/2968-18-0x0000000000AE1000-0x0000000000B0F000-memory.dmp

memory/2968-19-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-21-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\3775733ced.exe

MD5 de1f91ae5c55b1cbbc6d6561464d7d99
SHA1 1d0d10896ee940549c1b70ac512935e1179932d2
SHA256 6bf4612c1b4d71558e998e0761e3e4b4481c89ae3827622e86a81f46c08d7332
SHA512 cea1d5db20760dfca9a9b9e11358c19b53fe7c24e52aa41ce4981a6b0f76337420091d7aa0bbee250a7fd987c123d6fdb5147777ca1b56691bb2d7b83c979faa

memory/2968-39-0x0000000006DB0000-0x000000000799D000-memory.dmp

memory/2968-40-0x0000000006DB0000-0x000000000799D000-memory.dmp

memory/264-41-0x0000000000E60000-0x0000000001A4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\9659d72371.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\puwo4pk\imagestore.dat

MD5 c05d496e3c3e358c8e460c7618020514
SHA1 dc494212081bc6d799d6002755a499403ca8ee6a
SHA256 e94eea5aab6ab46622501c7590aa90a23e074cddd0ce53767e01f8038755815f
SHA512 be61ff6376137caab239aa9caf81ea13b1e629aec27f11ff89d2cad9e77dc7c9753c2004564ddbd7f7d3ca111a5a74b858c7beccfae5508e654947acef7ddf9b

memory/264-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2968-166-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2968-189-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27595dae7744c04d1bd81443cc5e3c71
SHA1 2701dc8c557c870e27633bf47dad3be4b7485f49
SHA256 682c9d96e4f66ffb1436aa6b4314175ec7b6e8c906b482f0b7d62e1c5bbbb873
SHA512 f6d92944ffc27ed0ce2ed34b206420a8145c98c2ff0e2d54fa45ea374f0f13c98cb3c42eb6105fda861644677dc28ba3dea169cdec2c1f06284a0fa406f113a3

C:\Users\Admin\AppData\Local\Temp\CabBBD1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBBE4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d53143a0a14cfe14a32ab593e8b5a05e
SHA1 bd487fead2fe9bf201e0eee32bf36c736bb5ffdb
SHA256 91068662f9074745c04596b6e13430fd11ad67e376548f2a24aa38f7b09acbf7
SHA512 7d602fe6f7b9abb49dd41143f08889401fe0de8162fd5e8d625c58536c3f8ab8d89f31ff851e0f41d05a4c7e4c7245ecca3715b323f0908394d04e0e618d639a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68efce0ed9bf40de805752822e508efd
SHA1 f786cd434b58c8463650eae3c28ae40d16820e2c
SHA256 ec1141ce2343b58edfd842d7f3e52e5da53e1fb08ee02528e4a57db8bbc29612
SHA512 1050c5373fb5ec18fd9c7dad86c66a088db542de9ae0d476217d7e8ea238828b8a13f061935949ab1513f586ec7d1364ebd26115f115757f67166fd6b33240c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e83201ab8b33b9eb07ffa17b9748863
SHA1 d02dcd6909dd4e1c98e205c6a39b73dd7a35c941
SHA256 51d5cb050733a017673b4f6bf285476f3cee1d49f8b43f34bf4416a6809f5664
SHA512 f7da613f4ba7373e06405f476b49c45f7c36d0933da58e44f126c1ef309a0da420a2510ce37b7647a9e4360773336eecbd4143bbc88b68eda5457ca23ba33ead

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce56cd861e608f4ef52d61efc9ce48da
SHA1 f23d8bd016e063ec3e1fa35d1e663d5c73a49557
SHA256 d16532661f7d1ee0d29931ee641febdebf65df1a6a70c897266cc54d2e77dd29
SHA512 f089892d6fda0b5536488a69467e3b2fb39fed4b5f2ba64f0d336ee2dd9b1788560f2d1f806a217413d0bb28e0bd002ffb4f1d0a9b2a28e3ec949d5dc03b43d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 889259345483eaafefff16c6911dc8e0
SHA1 217ad4ad1e50de18a9c0abbe8d0cc45ee4b351b3
SHA256 4d4f1c5db8a029f841f9ed71090f1cd69d6ea43cede46179980b0ffd1cab4549
SHA512 6de6807afc24497b0f03f5b1334687c6f3bc8cc8bbf975ea42ebcb5abe323779bce05ecba6bdb5b750b385ddf2d673acec938f63b8b093f3b59830c459e24c32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b98f394443825d0b856341d68714c2cb
SHA1 69647630900de21ada4c66498ee2d8a90db098f8
SHA256 b957598dedb487df41b07113f52c2f661342f07c9a59bdbb98106fffedde9fc6
SHA512 cbeed399e80fbb3b19a91b49e65c3704e2f2e88e15aadaaff433027776c19411a93bc1e7591643f77afa27a1ece8792f2b999fe72227d04786e099a7495956fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 feb4cde9f6c156d0abf000285a4def5f
SHA1 d95737585ed38232048209541ad8ef777e40ea5a
SHA256 b15b5aac2629823092974a56e2723cd4c4b695becbd05b6dffa61f08714c1de0
SHA512 00bfc649a0043d5864c857b93239be1f77f38248b3864565ce964b0a6473afc48f523beca6ffb5a4b1a0284b40493d5558c219b109009cef660ce20ff67f53be

memory/264-458-0x0000000000E60000-0x0000000001A4D000-memory.dmp

memory/1580-535-0x0000000000DC0000-0x0000000001284000-memory.dmp

memory/1496-534-0x0000000002060000-0x0000000002524000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7988df259ff0be1f98f0b551a2e58f96
SHA1 cad31c1eb5634a4e0b0d2fc62fd43c6c50ef5c1d
SHA256 510ba5e2aac35694fe614b7cfc26da30afae6a76af1f8dd498a0ddffda82f376
SHA512 8cdff3cc196861754e35f4de0ff01d864b1386df4dc19d5476b7837621c273d3138d389fb5aafb8bd03ac8e0c50bd42a33b1c20bfc5725b9e23588a15d15ac70

memory/1580-654-0x0000000000DC0000-0x0000000001284000-memory.dmp

memory/2968-667-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-668-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-669-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-670-0x0000000006DB0000-0x000000000799D000-memory.dmp

memory/2968-671-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-672-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-673-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-674-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-675-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 297235534350be44907347e94208ccc4
SHA1 d17176aa10096b7ea56b552f2156e2db211d4bac
SHA256 6310e8f3c37859e13d083240bb4a097baa96e5e94c8026c65bd45f65fa22c592
SHA512 7273b1906dd2ba6ac1ec72c828266032acf0873830a7fae039f4511a8de76a2d8775605e30974f0cf89499d3ecaace01dacf927f0d13e56495ee246f80935a1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee603b912c3cc7b6247cc5c7f055b8eb
SHA1 1eeeec2c652dab33d9b43fe5cd67be97bde54957
SHA256 8ebfae2181abaaff4785382f69263e6c98051048f21cfb1b0fb7f7eb67b5a930
SHA512 5b43a4396e2311a6e1d26e66456f6023272dc8efb73a7a7cf7551cd7f3219b91b15f79794ada15eb4b6fa0acc94c02ef63414f89cf71cc1e77badec979ead06b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38819705e81e18a84063b509dea7f474
SHA1 711865bc5ce5d3832eab736cc5f3c1dd91dcf17f
SHA256 efff24c0647aed5df994c8aa70b733aa402350d0738e1a474c191855188e5fd7
SHA512 4d979b4e1a270d52cfbb1cfc564edc5878e6afda8483b7b4e30deb6bfcbd3f978fa941c58315d18293be573046c15f2399b29e343d96c63164c45ee05632ec80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e74e49ed884c99bf51ecdad1101cb65b
SHA1 5c75638dfc9168a48d687f9750d80fc2c072bb78
SHA256 447d306177ed3edb7956d9923096dd58d3ca1b7e52c08448fe86f8456b92c2e7
SHA512 1c0b19267dbcdb4c63191d839d8c56a04b4058a616d017173592159e788696c0c28b1c83314b35059ccdd82d93f56ca33d06d65f944780319759372ea65aea0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67f80c7f172639b79afecc3860bc30c5
SHA1 aacd982355c75c4287c4c16802476c8a830e3172
SHA256 93c82a668ae072e333f56906e75610c56bd4a184fe932cb8977cb8b72b0f0ba8
SHA512 6a7f43ea32db9a97fe2b9f24f5e2ba6afa168961041e0deffc52ff7fd036dfc37ad86585da576743b421df6ee985fc8f3ce23246e71105c8125f52db9d86cadb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ea561a6eb0849846d64503751e799a8
SHA1 e9eddb3a1c6e3092a966a2a960c19d5355a177f8
SHA256 2c2e970e416f2fb629cb51738ec5598e913ae3f87ebec6994ce837adac7054e3
SHA512 dce8c7650a80bfdbf01508bb918e256f51d0fa667e9138c7fc6f69024405a514414dcc0d20f57babb357a180fb801e4d4db86c2f52cff7d1ec2c460e05fd27cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4249c3187e6f2059b530d773be82b1d5
SHA1 ad0f4365d25d65170714ac25bbf459028d0c826e
SHA256 2c138fc2dcb388d9dc9ac0b78f30e22dea15861f08980988ac90090f25196239
SHA512 27be0456ec6fc55672169a513bb2df670cf2922983c191f3e2bfed4db11d05a9b5a98f66278c5effd4612a6ee92e10ab8acbb8edf334bef6fabd4b78faa960a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 301e21c23a6c6cd15396190a9ec35b92
SHA1 509916dfb8c713d61217faec1975c77aca5d7cab
SHA256 e06cadb1ce7d9661656e766d76814a36ac95864133c6d19ec982dbe94048845b
SHA512 a510abd89002bb14b701ea03b52b8f412aad1ba65249978e3a7cf1e5ff3493949c93f51de8dff4ddd7fc7980ece068db956e97160fe600ff777472d98508d2d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45ff921a2db1f06158c69480e068f44a
SHA1 71a8355f34f7f52cbb9545a34cb11b9a907d82a5
SHA256 9e3499c77b161dee1d7395ac49960cec440cd2dd63762438298b36b133f1ee17
SHA512 02dc29c10d18bec14d566c9f63e9628b09382f329a05a652ed1eb50843074456ce932e70c1866e730f22ea9c0c98c3d562db925cc13c269022c033a330b101a8

memory/2968-1108-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1109-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1110-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1111-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1112-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1113-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

memory/2968-1114-0x0000000000AE0000-0x0000000000FA4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 07:06

Reported

2024-07-06 07:08

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amadka[1].exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\amadka[1].exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\amadka[1].exe

"C:\Users\Admin\AppData\Local\Temp\amadka[1].exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 tcp
RU 77.91.77.82:80 tcp
US 52.111.229.43:443 tcp

Files

memory/1744-0-0x0000000000200000-0x00000000006C4000-memory.dmp

memory/1744-1-0x00000000779C4000-0x00000000779C6000-memory.dmp

memory/1744-2-0x0000000000201000-0x000000000022F000-memory.dmp

memory/1744-3-0x0000000000200000-0x00000000006C4000-memory.dmp

memory/1744-5-0x0000000000200000-0x00000000006C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 d08de3a0e58a16b544c3d739b2a5598a
SHA1 f400d5d976ffb48a349a2c813c9c5723e7175138
SHA256 a337d575a5fef97dc3bc9e565d358d51112c3c031979041d7bfaa8208d9b4f07
SHA512 ad3090320ff57e870e78729bdc6fdab476dc60bf65cfcb8fef3a6417c0341e1f0298e467c3bd742a8f5f6e30ffb022130ccabe0eb903952ea70cf954561c886b

memory/4904-18-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/1744-17-0x0000000000200000-0x00000000006C4000-memory.dmp

memory/4904-19-0x0000000000F61000-0x0000000000F8F000-memory.dmp

memory/4904-20-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-21-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-22-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-23-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-24-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-25-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-26-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-27-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/3236-29-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-30-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/3236-32-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/3236-31-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/3236-33-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-34-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-35-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-36-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-37-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-38-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/2640-40-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/2640-41-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-42-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-43-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-44-0x0000000000F60000-0x0000000001424000-memory.dmp

memory/4904-45-0x0000000000F60000-0x0000000001424000-memory.dmp