Malware Analysis Report

2024-11-13 16:46

Sample ID 240710-mr3z5svfqa
Target 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb

Threat Level: Known bad

The file 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 10:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 10:42

Reported

2024-07-10 10:45

Platform

win11-20240709-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 240 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 240 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 240 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2828 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe
PID 2828 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe
PID 2828 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe
PID 2828 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe
PID 2828 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe
PID 2828 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe
PID 2020 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 568 wrote to memory of 5672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5672 wrote to memory of 1340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe

"C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8feadd4-14d5-4a78-b198-ffde146e796e} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a3eef96-358b-47bb-a1d3-66f9609a2843} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 3272 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4563683a-3afa-4936-b54f-f1474b8917aa} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53529f1d-9f51-45a9-a0c9-57132c095167} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5381c88-b3e0-4867-99fd-57f5f1d47823} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 3 -isForBrowser -prefsHandle 5616 -prefMapHandle 5640 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daefdd29-3ceb-4746-a2fc-768301aa0937} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 4 -isForBrowser -prefsHandle 5852 -prefMapHandle 5848 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be0db9a1-4047-4502-824d-b881960b3016} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5752 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5e8bdd8-bdf2-4ed9-9572-45727686ffca} 5672 "\\.\pipe\gecko-crash-server-pipe.5672" tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDBFHCGCGD.exe"

C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe

"C:\Users\Admin\AppData\Local\Temp\KEHDHIDAEH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49858 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
US 44.242.121.21:443 shavar.prod.mozaws.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
N/A 127.0.0.1:49865 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
GB 142.250.200.14:443 redirector.gvt1.com tcp
GB 142.250.200.14:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp

Files

memory/240-0-0x00000000004E0000-0x00000000009A0000-memory.dmp

memory/240-1-0x0000000077E56000-0x0000000077E58000-memory.dmp

memory/240-2-0x00000000004E1000-0x000000000050F000-memory.dmp

memory/240-3-0x00000000004E0000-0x00000000009A0000-memory.dmp

memory/240-5-0x00000000004E0000-0x00000000009A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/240-16-0x00000000004E0000-0x00000000009A0000-memory.dmp

memory/2828-17-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-18-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-19-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-20-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2788-22-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2788-23-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2788-24-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2788-26-0x0000000000360000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\19fb736ef9.exe

MD5 7eac5517949c3ba823c0d05f296bd953
SHA1 89d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA256 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512 d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

memory/1856-42-0x0000000000890000-0x000000000147F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\69676dffc4.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2828-61-0x0000000000360000-0x0000000000820000-memory.dmp

memory/1856-62-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp

MD5 75c0dccaa2437c427b06fc6e8d01438f
SHA1 64ee045d63e9f3faabb3c4d7e8f96ce1cbff11dd
SHA256 54ae1448118c126983672633cab35fa0067b95a15362326527fd39de87c815e9
SHA512 5b137165ef84c65b29f6c638dae50c9b1dc001eb51c429f871de38d4cba9c6cd66a0caf9f1850e7105007d645cf0c33cc5784cab74b64a9955b15b925b3f2a4a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\b5b78f21-3b39-4c77-885c-6d1eb6c9fc1a

MD5 79417b80c98f0aeaec5dadd9464544b6
SHA1 b4b3b331af6b83fc90f4896b606a62bfc37786fc
SHA256 44e8f5974f01bd6f1ad2080e273a778eb3bca1e47c8a1388915f020c0a20416a
SHA512 3d8173fcbe9a03641ceb74294e2bd7216c1c8ce26861f1660c4af11ff40ab7344bdaef2c4b9806ab1fd135c53324bc905121fa3c4dd212f23a8b017caf2aa0dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\3a99789f-8fbd-4c5e-b14b-2a9fec1c1e68

MD5 e1a346f99861527f6ba7ba5a5871eb70
SHA1 7f9900600474fbc897365dbbf7d842a006b97283
SHA256 893898243df2dd5b9a4c4b7712166d047993d3da3edbf05cc0e0bb12122fa4cf
SHA512 84912d1aed0bf8033f3c05280ecde06e779b0ccfa3ef22b12b16b3b365212e5cb9cd186d04c75775b0a5d6680046dea52e35e354dbc6f417897d0c06c4d4d29b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 d5dc7169bde575b9a5040889b377be60
SHA1 e93cadd28c93b18fc7e255a247a4dc85fbf61ae0
SHA256 ad912ab031dcd414ef5b02c106aeed3c2cc1e040d0074c6627831216d8b5652a
SHA512 d379d9b9ade65cf07c8ad0b74651cc248c491be79e4a2a61bfc3ce66e0976e3ae745d1153c83b2c3ebff1a7d24745222be6f055ddadbd11781089a2e4503d088

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\1c4cfed8-fa0a-405f-970b-6c5940e7907d

MD5 68c4c38e6f91c116f7b7cc96fb0acd04
SHA1 c6c2b3e342cbd50ab00cc56e1116122bfdbb0e12
SHA256 4e8a1b0d7b518e3545a582321be89e336bda3635f89bb67043734d8f60d46aef
SHA512 18a9343f74c45fd7787d320832c6eaf7bf52d53e31ddbd66e100cf5d66e8b44da5081cddf4f1b10da831db7ff2ded65d62459964d1602ea72ca18ce80f487f04

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 72872e2002aa87d63111dd7749cf3732
SHA1 fd337d13f75bfdb3ff8d3c6f67a0e7fb583a894b
SHA256 6cd6ae43ae1a83ad3b15370ffb9df15289bad5978e53f04d67ca0fe5bb1eaa37
SHA512 dfd765a82301cc423a615449ae603d58785e525f263dc36f71b1646806e8f8fdc4856a914de04587368c2834d415626e2488aae0ea2571af7d81201ce09c03a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

MD5 0429820c612bcaa1eeea93202000fdcb
SHA1 6f5ef37fbe1e558cd3871e24e15f5061e2853ca1
SHA256 5ed231947602428159d3d16e062c4ab32278211b2cea2bf27156f660ba98e3de
SHA512 8822fd21df50b0bec45dd2dbb3b0037c96df2057d0b4d98b39c70cebe4632f40879901d8361196c092145ed70007f15aabd6385d80b578176447326e446209b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

MD5 ccc25c5b693706354172163343aebac0
SHA1 31156e8a52409e8209a93ad6b7ce4eafb01d08a5
SHA256 cb1431789310dc08d2c648ac71e93b209850038b626c4f3cca249f7137b0df0f
SHA512 2805c611e3e7c2b1192a06a580c022c29a06181a12cee5fb23ec33399a56ef832e4e59926ecd760986caa5b8ef82ee5c53c7658b61f5d46de641216a0e931e52

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cookies.sqlite-wal

MD5 efae739d07ba7d357bfde50ea3a39835
SHA1 b7bbb42fdeb5eeb1e43cc439f5cd7fac7377fe44
SHA256 c15b727818348d05344e79cf6237363353e2a44c4762d9a097884cf83eded11b
SHA512 5e99d0c1b9421b13ad46c5960d62861ab34d1b914e10368121e272107f1600ed5d878ce7e206c1f56f4383a6e82900e9882bc788d6da3f8c26364740e9da5a67

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 5251e46645db5513920b528836d9c4d6
SHA1 4149bf0f49697f4db86f11cb8ad0ba31635b9388
SHA256 68f00989ac22104a1c33c4cb0a893a90b640496c83bc9775da03304ce5fcb297
SHA512 fc7af739a5dff13ae349d6d949143946f1964081795521b366b7b660fbab1648884ad83339613aa135683acefd959ebd88de6440e5559bd13a917fd6525db8e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\places.sqlite-wal

MD5 c3d4fd4001e334581fb47c9ae3c17faf
SHA1 0b01ff0a329729d0d6add0c64c9a9e7388304900
SHA256 89eb1ea2cd92ac2602752e07913ee3515abe4f95ba416218c2c9fe61e0158c54
SHA512 fa40327f04e2e57c402ad8f95bb420fd65434f662e053c9a7b3e8c7215ee6f7dd46603d9f05150ac4b60e62bffe40241a734f8444b94081e4e6009ef00341720

memory/2828-466-0x0000000000360000-0x0000000000820000-memory.dmp

C:\ProgramData\GIIDBGDAFHJDHIDGDGII

MD5 504acb61c41359e29649098053ee0d14
SHA1 b9463942d88d656c9b2ffd2d302c997a1ec0a683
SHA256 dcc7129ee307daa7c86e03ca22fd78dbf82f516b13dbdf4d67b59709300c81b4
SHA512 a0cdb1f891d8a22f6a0cf5c93ad7b725a6f834546b20c0ee40bf8e89b2ce0d113c40a17d014dc57f3aa624f7333125a09a94b23a2562d18e41bd96daa65fb6f7

memory/2828-481-0x0000000000360000-0x0000000000820000-memory.dmp

memory/1856-480-0x0000000000890000-0x000000000147F000-memory.dmp

memory/1856-486-0x0000000000890000-0x000000000147F000-memory.dmp

memory/2828-490-0x0000000000360000-0x0000000000820000-memory.dmp

memory/5476-491-0x00000000002B0000-0x0000000000770000-memory.dmp

memory/5476-497-0x00000000002B0000-0x0000000000770000-memory.dmp

memory/2828-506-0x0000000000360000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 64b7ac74f30e1dec4ffa2a6bf16acce2
SHA1 1ac231ea998d8436199556adc6719b667c17ae15
SHA256 615879eab4df6ae0a233b0c65f22dbd7d07f9dd8189e988b371eebd567c00c46
SHA512 2dd836c7c81ceaec39bca4deb40b801c9eefff5ae0e762af47e64f68b6f651e93d9b3df694d7f970c0a892088b342da7450de2dec322400192195880161e5563

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 971c4ff4f07910d9301277250220c6d1
SHA1 3629ce42d37cf9f2b68366a81ba17b752bffb62d
SHA256 03c66235589e1318866abaa8eb26825ee905e003329955f2f623adb4e1acee14
SHA512 a25b5a4a7405c945d58b5e36ef6bad031e0e33e7e8f1a58931291a458438c475e835ce2307f01f043bedc2ff52f581962ed7ce5f8386593f6ea57a47beb627ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

MD5 bff558e0dbcf61b61798d756ecbf6267
SHA1 42d697a0e69452d87b91053d815998af825ff356
SHA256 d581dff10716467e7265f61e337f7ed4e0a7f52df9587180169998d446b4966d
SHA512 40365f5bb06d541510e9e5822ad08ba93581f831589070e4add10f60d6b169dfe9060633003ebd76e52b03e98fe94ba9e01e15628e47f550567c9921deac24a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4e1ab1c808322a4d705686d1ceabefb4
SHA1 3cc4ad25d86350c6bb973b9db66688392ef5b022
SHA256 116d5aac43b4f7c02585708a1ba13147fb81ace230a003e58c069b8e4390b105
SHA512 87e0809af939cdf1223dbd0398eabff8d19dce89d66063a56b25c0f247ed6ae7511a66e6847ee62893ae012474a850e76ccce6813adb3dd0667936b4408d6c7e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/2828-702-0x0000000000360000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

MD5 b94da580e1300e2dedcb3baa6558b48e
SHA1 9515c6fe3e194617a894e749821b36df98bfe870
SHA256 21ac90db6bf58561c70093f3e351f8da681bec5f2b1469b2059fec9c22f80c88
SHA512 338041117df75535e00a6440afd9d576f729ccb610bc66d4f2c698542cf985d6eca6f1ad816696b68174a8f38b04f0eaeb6b132f9f92f4776fd07b41cdd6c790

memory/2828-1597-0x0000000000360000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

MD5 1d3e96d527c9215520c1f09fc3f4f610
SHA1 37f0c201553a149c4c8e6db6936a3d9835c7f712
SHA256 ea09723761413ade4720487933cb4a685bfa361a026191e62318e09a0ec1790c
SHA512 c7d6d12ada217d7dda8b2e4c2513dc40845d67a0cf6222a6a0eb167b40947d218b63b8951d5fb97326bb164ae5b4a8f8c0574a4e5f77fb833e47e3a2af470af4

memory/2828-2599-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2540-2601-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2540-2603-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2604-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2611-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2612-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2613-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2614-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2615-0x0000000000360000-0x0000000000820000-memory.dmp

memory/4696-2617-0x0000000000360000-0x0000000000820000-memory.dmp

memory/4696-2619-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2620-0x0000000000360000-0x0000000000820000-memory.dmp

memory/2828-2626-0x0000000000360000-0x0000000000820000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 10:42

Reported

2024-07-10 10:45

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe

"C:\Users\Admin\AppData\Local\Temp\64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2520-0-0x0000000000720000-0x0000000000BE0000-memory.dmp

memory/2520-1-0x0000000077224000-0x0000000077226000-memory.dmp

memory/2520-2-0x0000000000721000-0x000000000074F000-memory.dmp

memory/2520-3-0x0000000000720000-0x0000000000BE0000-memory.dmp

memory/2520-5-0x0000000000720000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 b0abfe65f6de9238e3b03b6d5e115706
SHA1 217ab85c40c8b968fd5193eaba20b841bb09e891
SHA256 64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA512 87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

memory/4756-17-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/2520-18-0x0000000000720000-0x0000000000BE0000-memory.dmp

memory/4756-19-0x0000000000D01000-0x0000000000D2F000-memory.dmp

memory/4756-20-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/1084-22-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/1084-23-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/1084-24-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-25-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/1084-26-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-27-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-28-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-29-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-30-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-31-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-32-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-33-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-34-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/5060-36-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/5060-37-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-38-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-39-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-40-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-41-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-42-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-43-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/3092-45-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/3092-46-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-47-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/4756-48-0x0000000000D00000-0x00000000011C0000-memory.dmp