Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-wcgysssanr
Target b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a

Threat Level: Known bad

The file b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 17:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 17:46

Reported

2024-08-12 17:48

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\f59fb8a3da.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f59fb8a3da.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 set thread context of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b422d466ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1876 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2788 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe
PID 2788 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe
PID 2788 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe
PID 2788 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b422d466ac.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b422d466ac.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b422d466ac.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b422d466ac.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1960 N/A C:\Users\Admin\1000037002\b422d466ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2788 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe
PID 2788 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe
PID 2788 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe
PID 2788 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe
PID 1792 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1896 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1896 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1896 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b422d466ac.exe

"C:\Users\Admin\1000037002\b422d466ac.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.0.1246222308\1291865308" -parentBuildID 20221007134813 -prefsHandle 1096 -prefMapHandle 1088 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5df902-4523-41ac-a7bd-287e2837ab48} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1336 a0d3058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.1.616028843\656757552" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6d012c2-eaf7-4706-bc9a-06e7e8e45096} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1536 44eb858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.2.1092571437\1662041967" -childID 1 -isForBrowser -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6022221-06ec-417e-aed6-996d83883305} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1960 a067558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.3.764834578\1957664143" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e5a537-dfb4-4845-b639-c1fcc9b892ab} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2704 e62758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.4.204586148\2098956651" -childID 3 -isForBrowser -prefsHandle 3224 -prefMapHandle 3824 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af80698c-f298-4f46-bced-bf1ee113a0fe} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3840 20416258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.5.2116743070\1796795313" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4479a5-78c2-4016-aa43-b7800a0004a9} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3928 20418958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.6.1439140262\1536199988" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2671467e-b2c0-4268-a921-2a3a49f18983} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4104 20418c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.7.1284299835\2018169493" -childID 6 -isForBrowser -prefsHandle 3984 -prefMapHandle 3964 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52373499-fa72-4c9c-bbd6-f378da39bf12} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3224 1ad8f358 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49299 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49306 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hneknek.gvt1.com udp
NL 74.125.8.134:443 r1---sn-5hneknek.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hneknek.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hneknek.gvt1.com udp
NL 74.125.8.134:443 r1.sn-5hneknek.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/1876-0-0x0000000000D20000-0x00000000011D6000-memory.dmp

memory/1876-1-0x0000000077400000-0x0000000077402000-memory.dmp

memory/1876-2-0x0000000000D21000-0x0000000000D4F000-memory.dmp

memory/1876-3-0x0000000000D20000-0x00000000011D6000-memory.dmp

memory/1876-4-0x0000000000D20000-0x00000000011D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 0400d0f91db9d1a2cb7806b94b23be8a
SHA1 ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA512 4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

memory/1876-15-0x0000000000D20000-0x00000000011D6000-memory.dmp

memory/2788-16-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-17-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-18-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-20-0x00000000009B0000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f59fb8a3da.exe

MD5 71dbe4bb236cc85e0eca13bbbeddc3be
SHA1 134f1402299e1e3ddaad05989875725cfbe71763
SHA256 65ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2
SHA512 c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d

memory/1956-35-0x0000000000E20000-0x0000000000F50000-memory.dmp

memory/1792-37-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1792-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1792-39-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b422d466ac.exe

MD5 fff78902d667ae5d4d5e6eca47703322
SHA1 aee23060c9cd8dad8afa9227d5f03b89fb18357f
SHA256 a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa
SHA512 ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176

memory/2732-68-0x00000000001E0000-0x0000000000218000-memory.dmp

memory/1960-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-72-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1960-78-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1960-76-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\0087e13cb4.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2788-101-0x0000000006490000-0x00000000066D3000-memory.dmp

memory/2788-102-0x0000000006490000-0x00000000066D3000-memory.dmp

memory/1668-103-0x00000000012E0000-0x0000000001523000-memory.dmp

memory/1668-104-0x00000000012E0000-0x0000000001523000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

MD5 59a7e52f7cbf7bd111baa86bad04c79c
SHA1 a3e0eb43c3f9315d8a5398263011c520b3d3debc
SHA256 a6bd1cefd7b7b2b29c53e3c3ade9507aa9be6ffb495825cfa793a9f292b22023
SHA512 4fef97c410baa6de052639d074a3c3fbafa6ebe9754e6ec061e045ba43715995986c99085a43e52bbc1aabaa2de2732d6b91310bd0fa5848d60e590edabfda62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\3fb753b9-1a6b-410c-a164-1de035d9904d

MD5 d3d94e7552ecf7c5875c3937f7955097
SHA1 fa07d13d53cb64bdee3e8824fc564ee544f41e47
SHA256 e6a94d4f84bb0f8f07e6ce2251805d46eb86c78e9a45e4c738d2cbf1e254cadb
SHA512 4d6f6cfc04203e3e9dbe9f482d29b27f173795396d0cd930ab1df835f5041a9bd06732c645e7c9b380ac2d3d80ce73a6c2c7074e7942ac1658f3ea5e2809e806

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\3c78d822-d566-4ccc-886f-929d1550b605

MD5 e6ca94d9540235c8214edc1de6f89df8
SHA1 a7524ed1beac8721a275e31a55e0ba88c0b2d19e
SHA256 d37222f52a0b57ac045b1782c5d73e8216701022d3e2d7d8afebc66d4545bc63
SHA512 cead98697571b0405e9957371f044e1c48645da69824535ea8fa297425b6537600e03285b742798d4d49aeb73d0e7b828784c240d50f713913f09dfdacdf3677

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ad433daea64ba9329d6552451e240f44
SHA1 5f5087e5a2ea95f1b89b35d70808891d974d6c9d
SHA256 4ec6eca8436fcd2bc46e56ea57205ea8a20b25550dcfed6f2b29a0a4ad2c9c79
SHA512 01aa30a9a07306ccc7688a9a6d9cd1c880c99e8af07d7332f83e5c0809399d70dbe971ac2a3e4c7df2887af413fe13a97d9eb8be49a4fe9f5395e071b50028d8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp

MD5 fb0898054494fb4142c850677e864268
SHA1 f8b101b9fe418a4257591b9a19825192f077da92
SHA256 607ba4ecf1cb9ae507602888d167a1ff9b15059c61fdcd72258ad24081446eed
SHA512 6d56896e989596ebe319945d6dae2317ec860e527275fff119c8d4a44974544a7bc1b61e97792ca3590632c7bc227edd42704c02df1db7e8aacc3569f2d2a43d

memory/2788-194-0x00000000009B0000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 5c3c1ef3b332e079bfa2f07714ced4ab
SHA1 7c900dd3b59296fb6135d7f3937e68dfda61e18a
SHA256 3ac16fca9fa999da5dca893490c86613d9a980923900eef8621720fde1beaedf
SHA512 a9d1569c4b02e7c9a806b4da04dc3dbf3c9aeb9e20974e099c37512e50eccbb51ec7827de278f3631331e37d7daa6a0a1c242eee05384eff2cc7600a0328d1a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 a18d90a0bb2f7a86bb417d0f3804d5d3
SHA1 18a9b90caa19f32abe226e4d13b787ea18b86b75
SHA256 f9e904f6cf30a0d5de9e22a25bd6455ee325debb159c9ab878269f3ab2c77b7f
SHA512 8ba14aeae99afd043627dcc7adcebcb1fec0a72d2821e77c63456455e6f947db3337228254f4ffb90f7bf4fba7340f94c586fa037afa49675255b262718b0b07

memory/2788-253-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-254-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-260-0x00000000009B0000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 694034c363c4c4635a87af25b64af7a3
SHA1 95a877bae246eac5ecc4d2d8e8cfd3e7e646c59d
SHA256 0c130101eea64bd1ae470b6c6de469c2c8c450b222e18dcfc2c7262ab51c58cc
SHA512 2b42bb09b40b1374760f4ea2e84cd9799b378c892f5775773b595eef3b8a89e8f5cf0cd9bfc5c6b6c2828f352a01aaaa0044230c5785eb7062c4ec14b2c91f9e

memory/2788-273-0x00000000009B0000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

MD5 7e8f9be8cee0d565b537b631fb0fdd67
SHA1 25189cb40e9adb331eb763d305289ad15d6a5fda
SHA256 1010b098d9ba44be4cda0b4e9f3beded4b5c4797797539280340dd9f3007e122
SHA512 49d09dff8e45cc504c04cb702838099c00bf6290f52a3fca21b1b64e94f876106b582de65795f8e870371ad6417eb711d70b29b98cb7b0ba9a0723794050fe87

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2788-343-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-352-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-354-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-362-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-367-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-368-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-369-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-370-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-371-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-377-0x00000000009B0000-0x0000000000E66000-memory.dmp

memory/2788-378-0x00000000009B0000-0x0000000000E66000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 17:46

Reported

2024-08-12 17:48

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4952-0-0x00000000003C0000-0x0000000000876000-memory.dmp

memory/4952-1-0x0000000077334000-0x0000000077336000-memory.dmp

memory/4952-2-0x00000000003C1000-0x00000000003EF000-memory.dmp

memory/4952-3-0x00000000003C0000-0x0000000000876000-memory.dmp

memory/4952-5-0x00000000003C0000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 0400d0f91db9d1a2cb7806b94b23be8a
SHA1 ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA512 4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

memory/3864-16-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/4952-15-0x00000000003C0000-0x0000000000876000-memory.dmp

memory/3864-18-0x00000000003D1000-0x00000000003FF000-memory.dmp

memory/3864-19-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-20-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-21-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-22-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-23-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-24-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-26-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1184-27-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1184-28-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1184-29-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1184-31-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-32-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-33-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-34-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-35-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-36-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-38-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1436-39-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/1436-40-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-41-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-42-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-43-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-44-0x00000000003D0000-0x0000000000886000-memory.dmp

memory/3864-45-0x00000000003D0000-0x0000000000886000-memory.dmp