Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-b8gyfszakl
Target 77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe
SHA256 77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce

Threat Level: Known bad

The file 77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 01:48

Reported

2024-07-10 01:51

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe
PID 1008 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe
PID 1008 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe
PID 4836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 964 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe
PID 964 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe
PID 964 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe
PID 964 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe
PID 964 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe
PID 964 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe
PID 5060 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5060 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 4280 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4280 wrote to memory of 1084 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe

"C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAEHDHDAK.exe"

C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe

"C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8cd10b8-4784-4dae-9584-c3cf8c883371} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5f1996c-4eb6-42ca-9f40-2505f4ef7471} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e19aea5b-fcb5-4bb9-bedc-592ce051c811} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4beabeea-8ae3-4008-abd1-6b0e6893e36e} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4604 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4540 -prefMapHandle 4484 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63eb81d8-245d-4f43-b4c9-27ab5777002f} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5128 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79a1e3e4-05da-4d7d-a52a-29c4fd216135} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3c21512-ac05-4ec7-8b3b-07c2d57d41ce} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a90f35-a593-4c8b-9049-fab37943ae57} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:61253 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 127.0.0.1:61261 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 233.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/428-0-0x0000000000DA0000-0x000000000198B000-memory.dmp

memory/428-1-0x000000007F6B0000-0x000000007FA81000-memory.dmp

memory/428-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/428-74-0x0000000000DA0000-0x000000000198B000-memory.dmp

memory/428-77-0x0000000000DA0000-0x000000000198B000-memory.dmp

memory/428-78-0x000000007F6B0000-0x000000007FA81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBGDHJECFC.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/4836-82-0x0000000001000000-0x00000000014D7000-memory.dmp

memory/4836-95-0x0000000001000000-0x00000000014D7000-memory.dmp

memory/964-96-0x0000000000860000-0x0000000000D37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\2b458e01b9.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/1104-112-0x0000000000D20000-0x000000000190D000-memory.dmp

memory/1104-113-0x0000000000D20000-0x000000000190D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\175727a5bc.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/964-132-0x0000000000860000-0x0000000000D37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 3c3a9c26e19c5ecaff5b1ccdbb745442
SHA1 e7cb7a2e07ac793812a92d8ad45d9010ebba797e
SHA256 9841fc258d493fbb60e2ef8774a6e50fccc7e993bea39e5f41c327093884862a
SHA512 f1ae336165bdd3e92067177969633eaa2ea1f03e195f0d2f5e8bc3f4b91f7d794c7589d43d9137b446de221a755eeed014dc340fde7f6a880a326a65e04b4c52

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\activity-stream.discovery_stream.json.tmp

MD5 971876178fac6d8f84613713292aef39
SHA1 0e28193f1534f1c54f64dc4b03fc66187e648d39
SHA256 c886d2d574b6375fa50deff4ac9f7fcec988ed4c2864f394a87152d1400b08eb
SHA512 917cd1371a6f8f130fe25272e06e7a3644693859eaf30d64d8d74675237be1216ba7beb4c9864bdd18d398074fba5cb0dc752bbadc1402eb3fa5bf7d49e57a77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\d1cabef7-3076-43fb-a505-dbfb8c5fc6a6

MD5 f9425700f21b18ffe76c2dc8630bad79
SHA1 fab523fb0dfadf48c5f0cc41f8d584e5e730adac
SHA256 143d293882060e6e84126fdb5a4b0562fcdd4e50dcf1612c9e1c96dbeec4a342
SHA512 35e2ea6e622391c496499705e43f0ccd2d1e0ef3826180bb165a551520a62c5b556552277ea6e8cb4fad926f993d8461ae44a3cbf271823e9e01cd0cab541acf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 a9a530003dffb1796a6c7809b0a4fd65
SHA1 0329ec60557036d79efd472658de87c8535dad10
SHA256 dcf6b50a53c9d2642cd599186ac5ba5fa6d6e7095315efaac18492a14a12ed25
SHA512 10676e1101f73614d85639858754cbd84c78e04ce843ebd9d2363636ede6594c8a373d1b62b8684586db4c834a488095ad93c087e7fe9128a4a306ec61dd83d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin

MD5 bbf6056b88af35b027018519626a2b42
SHA1 06377ae69e1f150953489c121defb9af8a168ff9
SHA256 b0008dee93da06bb685714b012834c40ac959128455c4268e97c0eb2e0a8b6ca
SHA512 2682db2d3790d413661579e7b9e0138608ec6b46bcb51c84276c06be28d72e65d08bd7ee47b5e074fb48bb9f68a6ad8f26ef83bb499af014d53f350a3270047e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\3dcd0d59-baf1-41f4-b2bb-c84b2e5fd547

MD5 52728f51b2ad3e248d78a665528c008e
SHA1 019c6d3d32356eb959fa9434a32c76481f73c1cb
SHA256 d68869cb748d46137f7e7c565b4602014b26e38a933948a065b36ef2a53308e7
SHA512 39de46e318a95279975ecb9a59a885946fb6a082e7f4b2bb2273a5155ec07d16c06923bfec6a87f5e9578bad0cb57545d0fd6799527351b1bb4a3b73e7868a06

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 134dcbefcf231d50e802cda754dd939c
SHA1 0461d94cf0d60cef3f17333be8627c1721ea3b72
SHA256 c74c8ff19dc89dac51e576bb6ccf3825c038d76f0b4de357ef43d47d38d1d439
SHA512 ad453828e3f9fd5bad280916f96381124c565b03293bc8ab1610ae18caad35b14322588755e353723b4ad742df470f924dc4fbc90fc417861b0b2a06a0266cef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 c1fbd2218656bda88c7e3c5d2dd8fb77
SHA1 b6e1d9fe59a2c157015e8e408610c0aeea27fa1d
SHA256 1eaff6532ed185ca4f134a2f17fd27519266a995532bcfda34868787d8bcc015
SHA512 2cc5c361f1f2911148a0bf2760bd0ac1c016aa1af17f3075c51b79d31723a34578670a8374b8e570a27a741da8cc43c84a4710079dcd2a26eb9140cc2a3ee35b

memory/964-471-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-478-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-483-0x0000000000860000-0x0000000000D37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

MD5 f4ceb95884d0c71c0d756a9162c694a4
SHA1 d1eeb7b3fd3fd7f03fa4cd1acb73fe63787d0b52
SHA256 6abec34582edaea7dc06270620761f43b5b9f330c52d43b7a91545ad3bbb4a8c
SHA512 dc990effb811adeae1a8faa33fa7f5e8c94483a1add16510b530d2cdfde6c2fe2c9e7b4c8f07c69b3c83916c3796c11082ef3cfdf9d3cd8dd3a14c9e92d23193

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 42a5cbe2bac74c63123fa404d91b7cdc
SHA1 608329f9790a2bd1d20ffe5034bd4a93e6bc1b8e
SHA256 8f75efd6b01a55a3a754c225272db35d9606b5df83df0af78fef1ce00f5f6865
SHA512 9b35301796b3688d9f585ae3ae2d03a67503ade5d3fd91eb9ecc60ce2638376a0ab6ed60ea032120c6082325f0764ff5f09a8cf97d037b556168a71be63e8dbc

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 c4375b9fdffb2bbd080c2240c23d0d94
SHA1 449967323a643bf353553840ceb281845f494ef0
SHA256 78297d6ec04b3cf3f9c8e961c956dc7aed1572fb3a81bb886c98813b78b1acef
SHA512 53ece787917373d24b3f9f6a88eb6d07c4dd669600f73c426e85611e1a47054f94cac3739930267a5040c89347d131b94a2dcdf018065274ff9fb3c59c41e848

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

MD5 49e0b407be4e14c6e4dbd12b5cd8e415
SHA1 47427f055ed2e21396ede2d36ef8f1d87a6c8b06
SHA256 c8449f15c48fd6c92bcdb1d204d7d6c6e28a8e5ed701c959b8416575f4de744f
SHA512 6388f3df0d88d659e85e55bd9d7496b63c935884145a6a7780452300de8e6aa4e5c7827dfcb3c33863bc6533a59331df9ada34f11fbcd7d1bf0416d488fc45de

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/964-741-0x0000000000860000-0x0000000000D37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs-1.js

MD5 559956102577304feb2e2fd4967ba496
SHA1 35717085b0ab79e0f8596b4a77c08afdae9222ec
SHA256 12e063747f82f930ece5c8bef3daf4fdc413a2e597fa439f6a6e476c9199771d
SHA512 86cf4ef95097474e6b8ccadcb62b743b6fd30d8f8fe2724cdd10c20fff76d2ea4c1048f2240daaca531809615aef26df8d9f97544e22f0f24985ff09ae29ca2e

memory/3656-1301-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/3656-1472-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-1894-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2685-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2691-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2693-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2694-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2695-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/116-2697-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/116-2699-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2700-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2701-0x0000000000860000-0x0000000000D37000-memory.dmp

memory/964-2702-0x0000000000860000-0x0000000000D37000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 01:48

Reported

2024-07-10 01:51

Platform

win7-20240704-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe
PID 1484 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1484 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1484 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1484 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe

"C:\Users\Admin\AppData\Local\Temp\77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIDAAFBGDB.exe"

C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe

"C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp

Files

memory/2624-0-0x0000000000980000-0x000000000156B000-memory.dmp

memory/2624-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2624-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2624-64-0x0000000000980000-0x000000000156B000-memory.dmp

memory/2876-84-0x0000000001FE0000-0x00000000024B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/1484-85-0x00000000010C0000-0x0000000001597000-memory.dmp

memory/1484-114-0x00000000010C0000-0x0000000001597000-memory.dmp

memory/348-115-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-120-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-121-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-122-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-123-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-124-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-125-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-126-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-127-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-128-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-129-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-130-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-131-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-132-0x00000000012A0000-0x0000000001777000-memory.dmp

memory/348-133-0x00000000012A0000-0x0000000001777000-memory.dmp