Malware Analysis Report

2024-11-13 16:47

Sample ID 240710-bs993azdjb
Target 42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe
SHA256 42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215

Threat Level: Known bad

The file 42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 01:25

Reported

2024-07-10 01:28

Platform

win7-20240704-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe
PID 1016 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe
PID 1016 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe
PID 1016 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe
PID 2860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2044 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe
PID 2044 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe
PID 2044 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe
PID 2044 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe
PID 2044 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe
PID 2044 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe
PID 2044 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe
PID 2044 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe
PID 640 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 640 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 640 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 640 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1364 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2092 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe

"C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAEGHJKJKK.exe"

C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe

"C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.0.950395412\2140485428" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1160 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db8f100-b8ec-4f97-8e2d-0143227cd6bd} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 1356 123d5758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.1.2050783876\1177431013" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {650fab32-df6d-4cae-9a33-64a1f027d067} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 1556 e72858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.2.1565179367\514012442" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43798f63-31f5-4f67-930c-f5a3be530174} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 2124 1a595258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.3.620483698\2139543013" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2724 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0573be7d-639e-4c28-9996-26e22397225d} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 2740 e68d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.4.1057268955\1084753864" -childID 3 -isForBrowser -prefsHandle 3584 -prefMapHandle 3612 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {452c1892-42f6-4c92-ada7-bd7912881f7b} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 3644 1c039558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.5.902148601\1160862913" -childID 4 -isForBrowser -prefsHandle 3788 -prefMapHandle 3792 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4117f0e-ab7e-49c9-9107-8449569a8e57} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 3776 1c039858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.6.1043399634\1029415396" -childID 5 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e566fd7-d968-4354-b037-965ebbcd1651} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 3944 1c03a458 tab

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 52.33.222.107:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
N/A 127.0.0.1:49357 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
N/A 127.0.0.1:49368 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/896-0-0x0000000000800000-0x00000000013EA000-memory.dmp

memory/896-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/896-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/896-65-0x0000000000800000-0x00000000013EA000-memory.dmp

memory/896-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/2860-101-0x0000000000940000-0x0000000000E17000-memory.dmp

memory/2860-115-0x0000000000940000-0x0000000000E17000-memory.dmp

memory/2044-116-0x0000000000040000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0cc5ff63c7.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/2044-137-0x0000000006300000-0x0000000006EED000-memory.dmp

memory/1548-139-0x0000000000BF0000-0x00000000017DD000-memory.dmp

memory/2044-140-0x0000000006300000-0x0000000006EED000-memory.dmp

memory/1548-142-0x0000000000BF0000-0x00000000017DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\80cd93dda8.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2044-157-0x0000000000040000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs.js

MD5 0d39b8898a498b46b0aca8e502469fe4
SHA1 1431fae2ecbc064b02c37626a560d70447950beb
SHA256 9e8162ff7c965569c5fcf4a13949a7a1ce4aede157e22be7ba70897a33352574
SHA512 d856975080aa8de50241404d8d3408ca6339c6aa561e2b11260519ae343f47e59a88018b5e72a2418c85d7c13b920509bb85831c19190b5edf94106a4ad15e47

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\1b1e1291-9374-45aa-9877-d1c9f627aa88

MD5 2c1c22118facfbcf1a557e6d5a65eb1d
SHA1 9310ec5d647ae34e013c17d4044fa284ad2fecdf
SHA256 e6186b898e8160c0912aab900a1880d7bfcb615b21be6a78b5d507901c93177d
SHA512 f93cf6874d734d03a5d313293192e8fba35eb32fb1d8e1548815312a7122e73a05abdabcaaf76973b41754f02060386e7f02532255613143fc9d30efdd86dbd5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin

MD5 b751055e62980b4f5ec9acbb80f0c917
SHA1 34863bcac66e1a331827dfb2e9926d76509f7d2c
SHA256 800d9cc20cf2147aaa39751e0b88d1628489d70e21c41f0a565a47eff86e6e60
SHA512 adbb080998c8bc5cbaf9c932f6329532dec15bfea5dae34c51fa7f710f2ce1b29ed5dd4aeaab8dab76fe5cf5c7397232d0fb948599200746f482b3a69d87ac61

memory/2860-226-0x0000000000940000-0x0000000000E17000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

MD5 c85d6bfdc15c37ce09a941f620f9230c
SHA1 5242986e37d2c240176e0b3d66ba321cca9cdb29
SHA256 e9e86886394952e910f8ce420817dee53ae06e4a0dfa81a86d0e9b7f9a49831b
SHA512 5fdedd3610efdc44386037006ecd93a2833bfcb20611a468baf6dc78633fc1444f2ad11e6dd4bfb4b490529b48db506f1898a015b99e957bb76d368ecdca1242

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

MD5 b51f04d52a1cab4eb26d58683cc6baa2
SHA1 c81c3fe6ff453fb27fe5bfec64fdc2ca14b9a171
SHA256 557cbbaa0c5a4d5d6b6dc3f17bb15f04355764b15f87403209f1e678bd7e437d
SHA512 67c0aabf1631687c4a57e44063bc8224e944b0f14369c5e69e4dd39bbf92653d70f5784a9dff1e77eb43a0d0d8e5704140709fd9170d34309239710259e1dd77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 b90729c783986ca280e91ecc8c60349a
SHA1 5c1cc196c442246c1a4a33740645f0c69f473004
SHA256 fd5bbd65d0c23c23edfff0053a21dbf7b28e1cc169a3099facc087a80fe3e70c
SHA512 2ef0e4a47086c97b5d2506a348bc90a2f0de01ab03f4b5ab9d8bcbbdf6731e5c15ce2936149b2fd9e2b77a47e1c5e9b533b1eda645a1cfef72dc2238bcd094ca

memory/2044-340-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-341-0x0000000006300000-0x0000000006EED000-memory.dmp

memory/2044-342-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-343-0x0000000006300000-0x0000000006EED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4

MD5 25c78c79e6c5531a5f28d3aeca8c9cfe
SHA1 bf90ef4cc4187a29f71bbb6c407291fc5ac2b632
SHA256 bde819355275d6396ce7e36ca4dadf1cdff52305e2c6905e0d09531611094da2
SHA512 b7efa2c67faf112dded675908aed4a4c5b54910905bb882631eb994689230aeac25e07ae9d389fb30271f6703189961fcfccc25931a3ccd0b10765911712ac92

memory/2044-360-0x0000000000040000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs.js

MD5 813fc5c92d0ff6c5ffa3a5dc506ec986
SHA1 a88815334f607cadc6c0bd8406b377502c8a5f05
SHA256 d99599f66c1c08c0f1028e3753294b459b64369da58af3449990f561d0d3bc04
SHA512 a1152994d3f7a2eac64d7aa209dd4fbf4e9997edb58c7f92425382992620c28b2c9daa4b14457e7f75bad5e1fa4ac2c45d9f87d9bb8d34b3560ccf7fd1719650

memory/2044-440-0x0000000000040000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

MD5 8fccaff9c07c10b2bede5090aed9e7e9
SHA1 dc7fe935310ff4d25a4c5b988488784266e5bc4b
SHA256 dab9a45de14d72a4ea2eb01ac4e88f6b136b65aa3a496a442bd85f81fb65a891
SHA512 8d3f8a42380a289c9e24060ea233f054ad9bfc0318fbd1d9225677aa042f1c2ea2fd184484d72f142e3716a948ed32e1e6c48379668c417eedd58283d448d158

memory/2044-446-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-448-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-455-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-460-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-461-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-462-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-463-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-464-0x0000000000040000-0x0000000000517000-memory.dmp

memory/2044-465-0x0000000000040000-0x0000000000517000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 01:25

Reported

2024-07-10 01:28

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe
PID 2316 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2316 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2316 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe

"C:\Users\Admin\AppData\Local\Temp\42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe"

C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe

"C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2924-0-0x0000000000670000-0x000000000125A000-memory.dmp

memory/2924-1-0x000000007F150000-0x000000007F521000-memory.dmp

memory/2924-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2924-77-0x0000000000670000-0x000000000125A000-memory.dmp

memory/2924-78-0x000000007F150000-0x000000007F521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAECAECFCA.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/2316-82-0x00000000006D0000-0x0000000000BA7000-memory.dmp

memory/1956-94-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/2316-96-0x00000000006D0000-0x0000000000BA7000-memory.dmp

memory/1956-97-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-98-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-99-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-100-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/2968-102-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/2968-103-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-104-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-105-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-106-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-107-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-108-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-109-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/4240-111-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/4240-112-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-113-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-114-0x0000000000CB0000-0x0000000001187000-memory.dmp

memory/1956-115-0x0000000000CB0000-0x0000000001187000-memory.dmp