Analysis Overview
SHA256
a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
Threat Level: Known bad
The file a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd was found to be: Known bad.
Malicious Activity Summary
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 05:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 05:06
Reported
2024-08-12 05:11
Platform
win10-20240611-en
Max time kernel
293s
Max time network
299s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 1972 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 1972 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/1972-0-0x0000000001070000-0x0000000001535000-memory.dmp
memory/1972-1-0x0000000077074000-0x0000000077075000-memory.dmp
memory/1972-2-0x0000000001071000-0x000000000109F000-memory.dmp
memory/1972-3-0x0000000001070000-0x0000000001535000-memory.dmp
memory/1972-4-0x0000000001070000-0x0000000001535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
| MD5 | 541a410ec2e96f6ce14befd4312b3478 |
| SHA1 | 69824f49bb7b180904632f865652429a5762c290 |
| SHA256 | a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd |
| SHA512 | 3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046 |
memory/1972-13-0x0000000001070000-0x0000000001535000-memory.dmp
memory/4524-14-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-15-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-16-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-18-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-17-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-19-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-20-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-21-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-22-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-23-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/3948-25-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/3948-27-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-28-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-29-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-30-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-31-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-32-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-33-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/2964-36-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-37-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-38-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-39-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-40-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-41-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-42-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4392-44-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-45-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-46-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-47-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-48-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-49-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-50-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4220-53-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-54-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-55-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-56-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-57-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-58-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-59-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/1700-62-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-63-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-64-0x0000000000F10000-0x00000000013D5000-memory.dmp
memory/4524-65-0x0000000000F10000-0x00000000013D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 05:06
Reported
2024-08-12 05:11
Platform
win7-20240705-en
Max time kernel
292s
Max time network
262s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 2148 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 2148 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
| PID 2148 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe | C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
Files
memory/2148-0-0x0000000000E20000-0x00000000012E5000-memory.dmp
memory/2148-1-0x0000000000E20000-0x00000000012E5000-memory.dmp
memory/2148-2-0x0000000000E20000-0x00000000012E5000-memory.dmp
memory/2148-4-0x0000000000E20000-0x00000000012E5000-memory.dmp
memory/2148-8-0x0000000000E20000-0x00000000012E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
| MD5 | 541a410ec2e96f6ce14befd4312b3478 |
| SHA1 | 69824f49bb7b180904632f865652429a5762c290 |
| SHA256 | a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd |
| SHA512 | 3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046 |
memory/2148-15-0x0000000000E20000-0x00000000012E5000-memory.dmp
memory/2804-16-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-20-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-19-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-18-0x0000000000F41000-0x0000000000F6F000-memory.dmp
memory/2804-17-0x0000000077D80000-0x0000000077D82000-memory.dmp
memory/2804-22-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-23-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-24-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-25-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-26-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-27-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-28-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-29-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-30-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-31-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-32-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-33-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-34-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-35-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-36-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-37-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-38-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-39-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-40-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-41-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-42-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-43-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-44-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-45-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-46-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-47-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-48-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-49-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-50-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-51-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-52-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-53-0x0000000000F40000-0x0000000001405000-memory.dmp
memory/2804-54-0x0000000000F40000-0x0000000001405000-memory.dmp