Malware Analysis Report

2024-11-13 16:47

Sample ID 240712-cjw7hswhld
Target 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA256 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80

Threat Level: Known bad

The file 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 02:06

Reported

2024-07-12 02:09

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe
PID 2368 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe
PID 2368 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe
PID 888 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 888 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 888 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1428 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe
PID 1428 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe
PID 1428 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe
PID 1428 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe
PID 1428 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe
PID 1428 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe
PID 1596 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe

"C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDHDHIECG.exe"

C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe

"C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe"

C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe

"C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.0.1769097270\898519217" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 21998 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a81cf3f6-860a-47df-94e5-2c68da3aadd0} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 1884 18f7e60f358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.1.537272367\641344352" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22849 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f7ff75-fea2-4337-9d44-97192e42ac8e} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 2476 18f71a89f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.2.475354292\2134972578" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22887 -prefMapSize 235091 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6254bc33-a4dc-4bd4-acbc-9338a69a94e5} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 3004 18f02059258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.3.2055203877\953599654" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be9b1594-2f11-42d5-bfff-42039b027a38} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 3660 18f03875458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.4.1881051538\1475640367" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60cae52a-f8f9-4478-bca5-24880666e9f4} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 5280 18f06153b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.5.332807018\1211741545" -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {211d530b-af5f-496d-8e61-11feb6e0d791} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 5416 18f06153e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3976.6.1266532874\1710725373" -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3235083b-d054-4085-8ca0-25400959d77e} 3976 "\\.\pipe\gecko-crash-server-pipe.3976" 5396 18f06151d58 tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:58226 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 209.100.149.34.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 191.144.160.34.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.180.4:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:58233 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 199.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/3356-0-0x0000000000700000-0x00000000012E1000-memory.dmp

memory/3356-1-0x000000007F890000-0x000000007FC61000-memory.dmp

memory/3356-3-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3356-74-0x0000000000700000-0x00000000012E1000-memory.dmp

memory/3356-78-0x0000000000700000-0x00000000012E1000-memory.dmp

memory/3356-79-0x000000007F890000-0x000000007FC61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KFBFCAFCBK.exe

MD5 7eac58c3aac017b11c5a2a99ae66c51a
SHA1 570339f867e074afb6f0238ca2152a50356647e1
SHA256 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512 d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769

memory/888-83-0x0000000000990000-0x0000000000E44000-memory.dmp

memory/888-94-0x0000000000990000-0x0000000000E44000-memory.dmp

memory/1428-96-0x0000000000B40000-0x0000000000FF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\8fdd20a71a.exe

MD5 b5f67083e086299287f0dfb2a7bef96e
SHA1 dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA256 1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA512 55c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654

memory/4396-112-0x0000000000DB0000-0x0000000001991000-memory.dmp

memory/4396-113-0x0000000000DB0000-0x0000000001991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000011001\4f7e97739d.exe

MD5 89d94c18987eb5d638be8f74bc307ac5
SHA1 5f7d6e6d18cb0dc610dcfa684d424b38ae4f7ff9
SHA256 384ce4a6f2794b0cb3c5fe36dc9b19b755315c9918ad19c925401099c41be9e6
SHA512 8f3880137b1a7e511dbbc3164c0a28cd1933776a009120df4eba0476f07dbd2b7764dae406620da6b2ab324ac0aa8011f914db6aad213fbacc4d73f0d28c2a63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs.js

MD5 5f156d805defff43f81442de6a88fd91
SHA1 5faf5a2f3db5eac9a8782fd080db63657e111863
SHA256 65f31f26697d1592339762a0ce61fe77bc0a96bf57ead99899dd74cb0c03abd8
SHA512 cffb1f9e04e8805c90cc42db41afd19b8980c975746eeb66e081858ac8b1427ce5b21550d0d5b6bdb149258267a77a072afcdbf369019c21526cc5822a8c5a61

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

MD5 adb6b16c2e20c52683cb03cef589bac8
SHA1 be691bf1b318eaa6203d468982195205bdb2509f
SHA256 e62e09eee7cc110c4387707d455575683b59578a71448bde86ea4c215474d66e
SHA512 ceb38f4acf06729ef6277627780a4db68b379fd69e9a95c21cb08137eaeba9fa02730f94a1ce506ab56090242c6a116b3bb8ea7b33ac080df4a6bf9a3c6208e3

memory/1428-216-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-256-0x0000000000B40000-0x0000000000FF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b64a2c2f21226490a6644475a17b426a
SHA1 7e51c37e636916061b143e2185253d8647e75b63
SHA256 2e99e2dab79a1dca7ddd8e3f1083d9df3b2e9fd95a4c9e0715a5275d00e01f1b
SHA512 fa6967cdc125b652e126fb7a97551e2a4c035649641a8fcefe959914feecf3271d72b489bcb1190c0483eb419f43ed3808ceea642e6e770f502099ce647333e8

memory/1428-266-0x0000000000B40000-0x0000000000FF4000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 43640f16a7f083dec074d745ba97c532
SHA1 4cece6433d332dc66ab9a20efac3ab8095134541
SHA256 fcaeca217e9f05c7d0cae84199f5cc9d1028dae4844838755f922b9291df4a78
SHA512 8bf638cf3190fc3223bc588e2912ee60c94102baa37517f4b04efd74e40c23489176875a6f70f8b0a93ee7641a0976933b4e2a36eed5af154b8e2122165e2c06

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 8cf8fb96acf3a196489fe3d79c05afd0
SHA1 a6151c96374cc82a7a17d65363ec346cac3832fc
SHA256 4cba838cd84da0760874a4e5c2f0da54df36bfe28395c20bf3bb4239cc13a55f
SHA512 c815a5d56c37a9e9b8e0f460488b05aad9d2dbb4393a871874bc23b464b6e57946538028cd5f635ae558801e76c5c76be563111ff4704f30f0c48aa07b262a26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

MD5 bc922cc63cfa573f932520b3037e9427
SHA1 214e07fca9a42a69a4826a88cc2c03c1de669eba
SHA256 34afac9ec6bc511a1a733261a37d02b69e0e8b60c781767189f2770e3fa39206
SHA512 bc65f8289ce8523dbfa4ec7de58da9f4c6fce28e8ca56a4cd18507f9d0cf937e64cab3e3cbaabf1f955fe2d98509e9c1cba6a1adf74f0f7fd7a0894ed86e1945

memory/1428-657-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1864-1336-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1864-1489-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-1965-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2251-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2270-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2271-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2272-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2273-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/3764-2275-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/3764-2276-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2277-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2278-0x0000000000B40000-0x0000000000FF4000-memory.dmp

memory/1428-2284-0x0000000000B40000-0x0000000000FF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 02:06

Reported

2024-07-12 02:09

Platform

win11-20240709-en

Max time kernel

144s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe
PID 1384 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe
PID 1384 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe
PID 4600 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4600 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4600 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe

"C:\Users\Admin\AppData\Local\Temp\1b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJECBGIJDG.exe"

C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe

"C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp

Files

memory/3776-0-0x00000000008F0000-0x00000000014D1000-memory.dmp

memory/3776-1-0x000000007EB30000-0x000000007EF01000-memory.dmp

memory/3776-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3776-77-0x00000000008F0000-0x00000000014D1000-memory.dmp

memory/3776-78-0x000000007EB30000-0x000000007EF01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BGIJJKKJJD.exe

MD5 7eac58c3aac017b11c5a2a99ae66c51a
SHA1 570339f867e074afb6f0238ca2152a50356647e1
SHA256 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512 d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769

memory/4600-82-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/3368-94-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/4600-96-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/3368-97-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-98-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-99-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-100-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/4148-102-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/4148-103-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-104-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-105-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-106-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-107-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-108-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-109-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/5072-111-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/5072-112-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-113-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-114-0x0000000000A90000-0x0000000000F44000-memory.dmp

memory/3368-115-0x0000000000A90000-0x0000000000F44000-memory.dmp