Malware Analysis Report

2024-11-30 22:08

Sample ID 240706-kmn93svgkh
Target 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe
SHA256 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff

Threat Level: Known bad

The file 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 08:43

Reported

2024-07-06 08:45

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe
PID 5016 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe
PID 5016 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe
PID 1932 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1932 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1932 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4820 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe
PID 4820 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe
PID 4820 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe
PID 4820 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 512 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJKKEHJDHJ.exe"

C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe

"C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\c4319c7552.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb2a4146f8,0x7ffb2a414708,0x7ffb2a414718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15191324494147940593,3781504957092077581,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5812 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/544-0-0x0000000000680000-0x0000000001278000-memory.dmp

memory/544-1-0x000000007F1C0000-0x000000007F591000-memory.dmp

memory/544-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/544-78-0x0000000000680000-0x0000000001278000-memory.dmp

memory/544-79-0x000000007F1C0000-0x000000007F591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe

MD5 7a7d0951bdab4de768832ef651e78c6c
SHA1 42adc0c0197ccdb7c5e444f27b9c4f79f848ec5b
SHA256 686f915f8c4cdfbd0ab8d4d4b3215b14aba3a5bd11c4ab2c5e62ad2e94cac555
SHA512 a8261a96e752e61771ad7af0b845baf35c8ae0a69e6cd82560b2bdbd2db519f20604c58f8d791c7a1513cc7e672418ed33d1852eaf2b934ff88ed9167249f737

memory/1932-83-0x0000000000500000-0x00000000009AE000-memory.dmp

memory/4820-95-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/1932-97-0x0000000000500000-0x00000000009AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\f9423f6d5e.exe

MD5 58ecb697be82278aeb969f9c2c12e1d4
SHA1 962efe904a67f667065350cf5a865d22a8d9b563
SHA256 c8d2aaa1fc32eab170c96f95884a85e47a025f8d74b66a9e7311cba9ee88d10d
SHA512 0947b87b1b38d1bcde914e65233a78dc8079f419fc0c0f36e10d4ae2fc07e239b557fa05e899d36ef3158265a7519cf1a83fa44e1d86567ff181c5660966f26c

memory/2956-113-0x00000000000E0000-0x0000000000CC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\c4319c7552.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2956-124-0x00000000000E0000-0x0000000000CC7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5b6ff6669a863812dff3a9e76cb311e4
SHA1 355f7587ad1759634a95ae191b48b8dbaa2f1631
SHA256 c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906
SHA512 d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

\??\pipe\LOCAL\crashpad_4536_EFTQTZKRDZVZVXSC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fbc957a83b42f65c351e04ce810c1c11
SHA1 78dcdf88beec5a9c112c145f239aefb1203d55ad
SHA256 7bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128
SHA512 efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 38d2d731eb8098d182a520b9cbacdf38
SHA1 a4f22ee68e58d22a4e552aa4499f83641472c38f
SHA256 ad28a56c1f8b59651b6ce4f4bef5403c3628005153b547073718af051a569c1f
SHA512 9d14deeab4a8c52b903e1ee3425af0aa624758e5cdd73edb2ebe88ad328a9e46d829c09876cdd4f66dc80757b8823c1871ece84f2000714fca81e630852bd70d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4820-177-0x0000000000650000-0x0000000000AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 04d0dfef494de7f49e60891c00530b69
SHA1 aa36f85c18cee5352538c62698d79692e5fbed5f
SHA256 c8158942f820753cf08cdaa15774cded510c777d0b6f9d6ebabadfb9419bde9f
SHA512 cf66f64bb14e4dfd4f8ef0b7678eb3c52ef96919e2075c6fc5fe7263f88b88aa3254c871eb840015297494aa7534be4fe8c58afa2a4c6840a647a808b68ced25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\afe40217-8813-42b1-ad13-442e83312b35.tmp

MD5 9486e17cfe52646043a6fb14782698ed
SHA1 2aaa34416980f0c3f42abdbb5fc3acd7decbe876
SHA256 b021e204b22686486b8fbcaf757be9988748cc916bff36aa864d65f658e753da
SHA512 3af140b9da93c8e30fff2df24c928f84ebb1ee46326416ffb5afa96d069dd4eb1ebab8ba30d2a75cce6d0639f64160826783adbefc1f5bcc2a50155ec4cdc1a1

memory/4820-201-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/3700-204-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-203-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/3700-205-0x0000000000650000-0x0000000000AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 69f58607be5a99ba86776e6fa5bb529d
SHA1 04baf6afc3b61dbc6d9120c4f8633156692e4e6b
SHA256 b829c439723b22be7522828c153451f6d52fc4e5d91546b49eb98dde2141b19f
SHA512 95d29242e1f4969b9ea2f17668d7ad7b861cccc1c801af0d9c27e5a4064c9dd80077b7292083067c5fefdef961e22eda65eef5f4daa8751b6f668ad75af94b8d

memory/4820-211-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-221-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-222-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-232-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-241-0x0000000000650000-0x0000000000AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8c2028ad354ab78efbc4753c9950d03b
SHA1 c4d51867105037d972ee644bc2f9eb31a1b09053
SHA256 e24ece5d6d83b1c4d2d4bce6fdd630e85dec726340b217412cd4324d8a1efbaa
SHA512 b4f2e86eac406acc94dd7a0d3f75332a213cfacfc34440a124b9a93d4b2ecc9fbf19880c44e7f09b1dd64a0ae6e7b2a7403a87c1b2e8273b288b9b6051b0ecc3

memory/4820-265-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/3964-267-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/3964-269-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-270-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-271-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-272-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-273-0x0000000000650000-0x0000000000AFE000-memory.dmp

memory/4820-276-0x0000000000650000-0x0000000000AFE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 08:43

Reported

2024-07-06 08:45

Platform

win7-20240704-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 304ff3b080cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426417293" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000416b05904fc8ff6eed3fe7d0c04c65aa3d6b1e065d482c98befb93138d4a33f2000000000e80000000020000200000007a013db6934c5a3ac25d322dc7f9a3e572f53de8a19845785d15d2aac49d89e520000000cdf82f84571c2f7bd5ca210c39c2fe14da1f659c11810aa30e6b4b046b0936b5400000006b32db71e6d2bc23a348be7479b4b95ede6c28afbb322f0635b309f4e6fc1969b1c7e6e13234f7c6d4bf1efd674cc73f2775bdd92f62f54fa2253b9167051e27 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000002dd587f6f90a57004e2dfe892e64cc90b30bc30756769fa6dadb218004634e6b000000000e800000000200002000000054b6c883f2446fc9bc9ae57cfa49c30c5805720cff8cf03e8e7817f282ce1aa090000000e113ca0b90444b56a9cefc9257434612b1e8ecb999a5506bfd9991045163e7e45628c5c09cc3bbedc4915a36cb49164214c9ab9cd05d1b04c3dcabaf398f36c227d4575eddf0de056407cef725d139cb851256f339b5a8abfeb72ea5304f229c12013b30953d2655b6d72528178f6ebd794840169a82a7c9c92a8df93dcf18ec9eb02a7c1b6fe8c8de2407fa59e651df40000000852aa434e376d10addd833a99c7865444f5bb7be39bcb79a858dc464fad9d0157593d32b533c9e308f9fd059c990e114401ab92b2b6b02c9d861ada684c90d54 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA9AE9B1-3B73-11EF-A69A-C2666C5B6023} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe
PID 2516 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe
PID 2516 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe
PID 2516 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe
PID 396 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 396 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 396 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 396 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2448 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe
PID 2448 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe
PID 2448 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe
PID 2448 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe
PID 2448 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1660 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1660 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1660 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2268 wrote to memory of 836 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2268 wrote to memory of 836 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2268 wrote to memory of 836 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2268 wrote to memory of 836 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKKFHIEGD.exe"

C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe

"C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\e00ff081f1.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2080-0-0x0000000000CA0000-0x0000000001898000-memory.dmp

memory/2080-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2080-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2080-65-0x0000000000CA0000-0x0000000001898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HJJJDAEGID.exe

MD5 7a7d0951bdab4de768832ef651e78c6c
SHA1 42adc0c0197ccdb7c5e444f27b9c4f79f848ec5b
SHA256 686f915f8c4cdfbd0ab8d4d4b3215b14aba3a5bd11c4ab2c5e62ad2e94cac555
SHA512 a8261a96e752e61771ad7af0b845baf35c8ae0a69e6cd82560b2bdbd2db519f20604c58f8d791c7a1513cc7e672418ed33d1852eaf2b934ff88ed9167249f737

memory/396-81-0x0000000000C90000-0x000000000113E000-memory.dmp

memory/2516-80-0x0000000001CC0000-0x000000000216E000-memory.dmp

memory/396-115-0x0000000000C90000-0x000000000113E000-memory.dmp

memory/2448-116-0x00000000011A0000-0x000000000164E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\a907f96bdc.exe

MD5 58ecb697be82278aeb969f9c2c12e1d4
SHA1 962efe904a67f667065350cf5a865d22a8d9b563
SHA256 c8d2aaa1fc32eab170c96f95884a85e47a025f8d74b66a9e7311cba9ee88d10d
SHA512 0947b87b1b38d1bcde914e65233a78dc8079f419fc0c0f36e10d4ae2fc07e239b557fa05e899d36ef3158265a7519cf1a83fa44e1d86567ff181c5660966f26c

memory/2448-138-0x0000000006020000-0x0000000006C07000-memory.dmp

memory/2448-137-0x0000000006020000-0x0000000006C07000-memory.dmp

memory/1196-139-0x0000000000E50000-0x0000000001A37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\e00ff081f1.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/1196-180-0x0000000000E50000-0x0000000001A37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDC8A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ljg9kkp\imagestore.dat

MD5 6f976f3bebb6bd051635455ae7cadbef
SHA1 f0fdb506425824b77fdac5efe8514c41c45e1513
SHA256 b46dde1a6b19aca863f5d55141f6bc000b25cee894f746751323f2faec3ff3f0
SHA512 bc083f97533540bade5496f330c622fdc45dc67f79cdcae4905c94872e325791e2a78e8e7ec5b7e515659266d008db4ea2cfa25fe855066c6d39b6e36d787594

memory/2448-246-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/396-247-0x0000000000C90000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 873f3a779aee0a4f493d31ec89da2e62
SHA1 5981205f19b0a2286864ada79c8912172741d6d8
SHA256 609ba25a2ddaedfeef05261d5d2747299a94e063507bd530f3552b98cf317c81
SHA512 0d7186b8a6754414cbc38e0d2a125f96dae56e47bb253b86b86341c34f67741b89466afed947f9876cba3860a32767e4e2602b1942d3acb9747408fe3899bd4c

C:\Users\Admin\AppData\Local\Temp\TarF818.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e97f679dd796d2c4da49c3c1b02e9caf
SHA1 ad70d433ceba3912b201746877e3d50f3430aa41
SHA256 94e547844a1dac3abc055a2f9dd94e3abf1f43ab30f74a83a1c405132c52bd72
SHA512 aca43bc52e4e4acf9db6e6716e958bd88b68b5dbf0d75b6e3087b8defb907908ff2840423e8e22fbc97b8987d116b560806779b2e23b4a81afad45b551742fa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f734c39622eaff07fc371de2bd05c8d9
SHA1 3de9c4533f5f89465c3f7326eb8f04eb3697b6ef
SHA256 3b6a28b427a3a5b6b5339a9963d4077b0e46eda416bb20ae147996eddef1f908
SHA512 dc2b6ccef9df148798de42845fd2cffa968e0cf0a54e8bec4fc8e3a34d839f57a1cc2cdc87b0bbffc1955eaef8d7166ed1d5620c1547b0dacf6b06ed5d831a8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32e5b6f61c1d14246f2cf0daa8b8b72c
SHA1 411c1f891903ab09098e45c8a96dcc6b0d79315b
SHA256 a270df8b62ca985db7c9d02e1daab6478cb0f0bd64257db13ea08fb6a008f284
SHA512 0d9e1748656fd83b020c317e6f2a12145e25f30306e4c091793fcf34313e584af0ad922e72ac922021810190406b3a85e444627dd160e23389dc62b54205425c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 703a6617ed99486b3c8b10a7798d7768
SHA1 9c70a829f1cf68d556ad672cd216f51085e707d3
SHA256 1878f13d075848e00d3b6a9bdb6ae1452a5983fe7a262c255695e218df291934
SHA512 7e4a266d6e8ecffa73e7ea9dac228198ae26f14aaed1c8117da0f9fc03f8fa9b332924fe25db71ff6db50e44946fba810f26d09ef53252ebd880e3d0575e400a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9d01e3b428e9f7d09a4a10afdd506fa
SHA1 ab79fadb53779c93a8e0d1c92b3c92bbc055234b
SHA256 4a5a394a7acad5e6841eac76fb75cbc17ca70b6efb331715206a13f92d6e904b
SHA512 79711e3f820f00eed1cb6b14b1ffcb491d843100317ed5447afb75092d3ce9fd419f6962c99708ca0601585c751c1d614d6b34b29eee4c5dda490e69c1dcdc9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b8ac972fc6cb1fbf77444b523ee4095
SHA1 dc0da296d75e7b7040c5ce4778bb0dc6b10ced81
SHA256 d2afc7a9c369791eeef1893c3f3702864e189d76ce7f50867f6b56ee15eb557f
SHA512 efed3f2a1ccbaf5e1313f4e234a0d6505f780952c0b53e6dabc16f2f9f5777ce89c68eaf8c6bd3ab741286c862747821e5d86b24b02f2ddea342f5a5512eb28f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1415456ad84d5e53b7f30b304e805af9
SHA1 5e148be6ffc4006f887620891f9e779d2e251fd9
SHA256 cb374317fa1ae71830cc3dda4972d8cf2c7ece4bab4b0b4433ca245bfcc078f9
SHA512 0c89e00f2dda2e6ba5ec1dc43b68089ded2125b3c4d8b363f1e4c13e1524a229d3b7a37d9939b8932c31c5bff297e4fa2a93dc362077b5dc66f8576cd0368f0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00410d70990ca22a3b1b814f2612ebdd
SHA1 0eaa305b4b6e0a8a8b197edf232ffcd93c0e68de
SHA256 9c4acb6dc0a59d86e139a7acbc1b6a3c678a23983d92a0b0f99b89f426ba6a15
SHA512 21766c051501153e0a65ba73b488e85497d79f110a39932a2f79b7500a77a1ca4e17a553578c5d386117c2e7965b1bb7f42d9dcff993e61202eb29158eb2f895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55fbffb987bfb619b62a2bfb7cc6db25
SHA1 fa3d4183072e2d1295b8b539a46cf6ceed533ff7
SHA256 ccf3ba4f4862f4e7f479ba5f0e407bb6e3fcf446fdae05298a85d23ba5fb323c
SHA512 fa864d84a589c24cd7d97b532793892df4285be9d7329436017b8124c1af56afd683c8308532345467bb2ff944acfc7eb41f6e4068d7913da941300d127fe066

memory/2448-677-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-678-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-679-0x0000000006020000-0x0000000006C07000-memory.dmp

memory/2448-680-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-681-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-682-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-683-0x00000000011A0000-0x000000000164E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eae3f01e96139cf82e0f868ea49826bc
SHA1 0e074aeb5049e9e3c21ba88390a15214687c341b
SHA256 9da06872e0e7f4e810ccdb5c0812871de8d83341713a7cba25806aeb90361d73
SHA512 f4cc526b66411b4cdabd1125e5738918d3d4f8481f63f71a5bc9056169ddc030483ba7ae36c323cba7b01fba15bb11223dd6c9922f998aea6a217329dc6777fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0897dfa9a494cfabc41e2f06f82ff4fe
SHA1 4af92f225abe85fa7ab468ba05e5279461949785
SHA256 973e03ce86cd42c78fa1d2e397fcb559bd748224322f154eeb9532162dc50a6c
SHA512 ca5404d8374020cbdbe92ca07dbc58d2182194d41778a89de77d7cebc92412bbb9636326ee0decab171a1d71817da4ab152dec0f32fd103e464f35f655a38b89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 353e81997685305a8d4fab4fafa3d7e2
SHA1 544114cb53b1a1cf2c0ef1d639735acfb701d5a6
SHA256 55b686ff9e04f0f84a0da504c98e0bec8c3e7a34daf8a339fdac876f5eb67a4c
SHA512 4abfc05ee40ebc139a65116c1c0c601cdc9f5a1db621c2d5353878aefc545e04e5ced2d9b3633846c387e336c1c7a12ba68273213b828848616c18691d3e79a9

memory/2448-790-0x00000000011A0000-0x000000000164E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00427b8bcb2d110dc4f3ed349ea110be
SHA1 fce041fb41a29f3848a6376c81ec9cc3f210481f
SHA256 2ae449bf5e435ffa96e4c4f29409a0198c224033e435a1accb5336acd0212ecc
SHA512 34bb50db4fb6cfeb460f64d7fd75bf9c9d5214d66b0bf2006b2bbcb7294e021376aeea40ce0ec923eaaf6466357589f25437ebd787784894fe0ab565d7cb8799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e644772ed665d52ef4c58aa04de6dbb
SHA1 1ce9366018e13f629fe58af2b81ae0273f4db1cc
SHA256 50cca29b0e7644719da2d2315225217c152f8ce7a5e31cebac041170759469ac
SHA512 f24a6d799d2cfd9fb38319689e6a025b5cee1a4ad7759a2d258de9b0a188a723e7e3d0c0ab23dbd00f2432241673716dc78cfb22f309666a61e6f4227c96c6e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cd6b526fe9605727e3efe8588f22985
SHA1 2e1a4a5881a342c1514bf4f7dcab95366108f675
SHA256 635f1da919b0263a2e2c38a521d0cb44f72ce66a06a695ca1bc3bc3eba6299fb
SHA512 b654bbd2e9c08fbf345659235809f59d53ceaa405b96cbe0b36d0915b03e1e028b9483971648d813db814b8e996f6b60ac70eb9f22e05505ccce66623c51cd5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b336b45a21d0e648213e882b1b804f01
SHA1 75cb1088730201ca5947aead3f0e11b7e7414e8f
SHA256 b7626ffa92f00c359a950c2ad9326deb093140e9c284652b545d514353e2817c
SHA512 4816e0bd6cb8b001967209b6a4f0606d87398099973156c726b622d5b9146f33947b1f57b73a6bd65e5632acb6a67acbc1c29fd74d768f35c8861149b98d9450

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b217172e7c9f1d0e4a5691b7bd84bdf3
SHA1 8e0930607a504335d8ba1bf1bb668bca2adf0f01
SHA256 43ec0029865ff7782f02645574636b04e69b24e6d7bfd7ca52f2a57848a62259
SHA512 7e87932f5b607894b15dc80c5f890477bb9efa42f7b670c7ab42cf9f756900f4c9e0e4e264474b48f13ab095bc708cf194218e466fcd25daf3d172c0b1626a5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ce0547d0e4f24dd8ea34e727ed0b129
SHA1 34268338aac1676c899c0ebfba844c1e02916d33
SHA256 37f02d7e98723f9c5d3114553ca4aaee3f9f502851089ba486fd6e5c9fae4d99
SHA512 f8ecf271920a81343ddc2df93c52acbe1cba8d7053b130fcee86e13cb4eb17ba9e211d6e8a56c64c7e017a82acd624e89e303f193085e2e4f0d2dabff05c7af4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae6065e0db3bdf326b659e9ff5ea7fa
SHA1 cd154c32a464f1533c82b069c5f1d1ac30518fd2
SHA256 fa2740f26ea4ff423b2095f1a3b0e4ee779d4b91c2be8fcc8c15d85e0e100fe9
SHA512 43b744bc982f88683f4c34dc0ffdc58f31e69fa1db49a4ce727037a486251b2b6b8324ec03e2f4e3bbf5bb73966b0c5492a2cfa1472014f8d16dc7f577ac3b88

memory/2448-1117-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-1118-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-1119-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-1120-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-1121-0x00000000011A0000-0x000000000164E000-memory.dmp

memory/2448-1122-0x00000000011A0000-0x000000000164E000-memory.dmp