Malware Analysis Report

2024-10-18 23:40

Sample ID 240815-e9tkeszenl
Target d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
SHA256 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8

Threat Level: Known bad

The file d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 04:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 04:38

Reported

2024-08-15 04:41

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef755d12ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ef755d12ba.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3740 set thread context of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 set thread context of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\0fe2b59edc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3012 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3012 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3804 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe
PID 3804 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe
PID 3804 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3740 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3804 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0fe2b59edc.exe
PID 3804 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0fe2b59edc.exe
PID 3804 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0fe2b59edc.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2512 wrote to memory of 4128 N/A C:\Users\Admin\1000037002\0fe2b59edc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3804 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe
PID 3804 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe
PID 3804 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe
PID 4012 wrote to memory of 4636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4636 wrote to memory of 2872 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2872 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe

"C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\0fe2b59edc.exe

"C:\Users\Admin\1000037002\0fe2b59edc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ce529de-d97a-4ca7-89bd-d8e4f095dfc0} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a51799f-6216-4369-8202-c2d80f1e40de} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 1 -isForBrowser -prefsHandle 3388 -prefMapHandle 3348 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7aaccf5-3c9c-4f65-beb0-08fe7d396440} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f56e6d10-f5b2-4d34-82e5-5cf976c8dcdd} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {569f0f70-b004-460c-a066-929533ebfbae} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5192 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7129cd28-d531-41b3-b156-4a48bb58a090} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5268 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5479206f-9e05-4098-895f-14891d046b89} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb27ac1-1e02-42aa-9fbd-e4ac071f3a6b} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6204 -prefMapHandle 6208 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69dfc7c2-ce29-4b87-8070-a8ce7e8c6eb0} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:59404 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 18.88.81.35.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 172.217.20.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 172.217.20.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:59411 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3012-0-0x0000000000140000-0x00000000005F3000-memory.dmp

memory/3012-1-0x0000000077654000-0x0000000077656000-memory.dmp

memory/3012-2-0x0000000000141000-0x000000000016F000-memory.dmp

memory/3012-3-0x0000000000140000-0x00000000005F3000-memory.dmp

memory/3012-4-0x0000000000140000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 60d21a39a1b117c3bc3560b0a83aca68
SHA1 2fb017dc561235ef750452792d1673dba85d9a9f
SHA256 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
SHA512 ef5bbef34d70d206fce276fef0c0785685157b3e91baeb908a52d97ac44264dc7b8bb3f1835306e470a48b6e3c24b094318455f6b28e77ced69c74c5446dd106

memory/3012-17-0x0000000000140000-0x00000000005F3000-memory.dmp

memory/3804-18-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-20-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-19-0x0000000000221000-0x000000000024F000-memory.dmp

memory/3804-21-0x0000000000220000-0x00000000006D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe

MD5 44e6e18e8db12ef131a8be9d98aee0f7
SHA1 3a40de306cc9a8799ca113d7cf17bbbda56c0736
SHA256 7b2d7d6f2f33c8daa980a619541045a976794e26ab72bd7689ad2d2a1e476382
SHA512 ffccece392b813ac071fb31c8aa8574f2a2e2ea6e6089aa9ffef401035b338451eac63302d79562aa64b9568858be91f9273d2e80180f85e018d583e912772e7

memory/3740-40-0x000000007326E000-0x000000007326F000-memory.dmp

memory/3740-41-0x0000000000AA0000-0x0000000000BF2000-memory.dmp

memory/4012-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4012-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4012-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\0fe2b59edc.exe

MD5 adbe410e187ae39241d2378f7719f885
SHA1 c6f0456e21e72b5546dc0399531639ed7049c00c
SHA256 e0d894321ed7dec422d647ab8c30e8488a28ba923fa61c13154d549170f9d368
SHA512 4a0db229a221be9ab1c59d0688177bf5e5e29e002fb976dfa57e185dd0613ca58a98919093b02f4d42cb915282ef12d1cbd61fd8828cae1f5d4d877b66b121d5

memory/2512-66-0x0000000000260000-0x00000000002B8000-memory.dmp

memory/4128-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4128-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/968-80-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/4440-88-0x00000000007E0000-0x0000000000A23000-memory.dmp

memory/4440-89-0x00000000007E0000-0x0000000000A23000-memory.dmp

memory/968-91-0x0000000000220000-0x00000000006D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\bfb19937-00bb-4c9c-96b7-4b21d1f4ac55

MD5 6d0191d8a9122f6f4d6fad6510500976
SHA1 a9085f0b3cfd22a0df5eaac3cac092c882fcc089
SHA256 93bf2b3eba6f0709d643a9392f73cc6e2217c6f727b89ce31dbdefae434c1b15
SHA512 187bbafa77b14809afa64d0ec41486223e5662ca2daaede72959c1eada5f7db9781af42b12fe5aec7ff43ca72124e536ab9795fa6e778c793676f06883a13327

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\7bfd9825-0006-407c-bdc2-d21534ec43dc

MD5 4e220afab4e3ee3c23172d8eaddd9160
SHA1 4763d6304e23630d220ba980150c5e35431e5e62
SHA256 1525d399e4f568f8daff3c4f1c5663a5ce76a6b54418d6ce09eb8a0505afaf8d
SHA512 0f30fa2f7c7930ef91c10be5886077d90dc3c10ed729fe771922d620e25ae7940e505635890ff56e4c6a78314f0bfdbb28aa62bce138211f130b0d7ecf84a0c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\c21163f1-7c5c-4ebc-97d8-54ae6227952f

MD5 3f9602f5f5ae642e3af4923a3d7c7528
SHA1 9bea6256bf6d9813e4c1d3a776798b02783e0b14
SHA256 0e9b57867c3c3822f1e74df9de32605f4e2fc4910feff6843e91d8db74d36f62
SHA512 801d5a44e72f010eb7046dbf9abe48c31c593559b06c0b749976306eb346dc7328cd6f60cc3827ed49be6a37d7f5b7d35f6423bdf274a00b4fe79886e0414799

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 18b31da0e4cd8a3d252bc68429078a19
SHA1 0c309dc972ad51e03a70d861b392d28dba7999dc
SHA256 b2f92c694d0657536daece10a84632d5edae0d9abb31a9c43ac70a6c343aebfd
SHA512 b3036d59bba11c451265bf967dc87778894779691d880ee43a9fe64bcec8bfaafb3ae325b65d54765c48ca230d1dd1c335db302596ba0b79ea48af1ffe94e280

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 a91e554bc1eae409868d3675289509ae
SHA1 74dfc86fadbf75b04f81ed742f81058fc701fd4b
SHA256 55614d910aafb5389f25ddfefc89593b83a69d4c3a67f453877f4d19c497fd01
SHA512 bf9d401fa58765ffca8e1c8815a1b78e00f4356bd72a62293d9b1cf78919db6da5c77f1ede53edec3c348ec529dc7f9d40245772df394ee1c84ff3a6631efbdf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 aab328e6ca0188727a7faaf7d6586447
SHA1 04644da532daef94cabe1d5b18f80bfc61d6d34d
SHA256 52f39b5fd3bfd559691f8f77533c88a2486019dc8fc9a6b89a13cfb68b78d584
SHA512 ed12ef0abbb8d1c59b178f32f293d4e6a0fd2af045b57ddda1d7541522702b9245f514e3be895719db37398f27cff61263836f0429be837dfbf33b68ba8bbf03

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 fcb86346ea84c1cda6d0c6d7fa811b1c
SHA1 cb1d867c0755074db6d9da088a834942f6561bb2
SHA256 b5f9a5b7f6e26478a7bb90e96cc34c6c2254ba39d3e8fc076081983cc6c92964
SHA512 bdba25271b96f63a8f3495a50c4327a9f50b25efed3e2a9f43a3d46cc9c7eef11198f45665f29da87b635e419e65328ee6f92b648d10b295cb85239f173b09dd

memory/3804-421-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-440-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-441-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-442-0x0000000000220000-0x00000000006D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 a5f3da50adf7297ca54c72d6c09df5cc
SHA1 3071b6069911364bb55f34780271fcad5b7e5419
SHA256 eeced2fd5a1173eccca9f65ef04e0886527c18791f0a7fd4fa6aa1b3ce1280ba
SHA512 b238d70123768cea6e8910d8c0c281b85bad31d78131f11bedcf367ce2eedd29a32230119eef309d2ff913429243160e88f97f90623ebd651511f36a467023ce

memory/3804-455-0x0000000000220000-0x00000000006D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 24b347173a6917e4c30aee133dad4540
SHA1 b34d004af576198dec5c65e2e249343f33b2875f
SHA256 20ac4fd9d73c65b56cdbb62cd69a05f63f380fc30d409daf1c6aa72c4cd1c78d
SHA512 194143efe87d6207128b619cca3db544a3b072e88299eaa83a4c73dbedac864c052393304d87ded674e3ea8e533df758df090963615d6c91c75e3aa750897b05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 545a7b2b3d341d18f5a06e30c222d446
SHA1 db46b1ca190d93fedba22c7f3baf29b4416a8e73
SHA256 fe6046fdd2ea8a6ce3324249a17c44c48daea96eced4c53b4de9846d9536b694
SHA512 62057d6672ead95fd03088bd1537b97f71ef09d0d4e5cae062090791901960383cd5f0eabab32d6395a1361b79778bc3e01dc6ff45c14229325f685186871df0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3caa66e84182382f6c048bd44e3578cc
SHA1 c794b8edceef4ada60e55a2fb71b41305529af2a
SHA256 965f03a78b538ea4f90711c154edc4e5e11ce864789dce10729284f0a1d80a07
SHA512 9fe7992ea19f726bc1579004d3e21e50326e150f564d87f19f70e66d0167025d89cdc0cb622669a718958f5767c694ceff6b5862a8be37062e4b855849db4875

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 34cf8a4c908ff8510d0f2301e4333b25
SHA1 2ebd99544d244ee62300dc603c07abf535d5c5e2
SHA256 b84b8db2935c5388a082dde7e580fc30a9c0f3f8dc95019d6c0c23385ae47bc1
SHA512 38c48f33feb24a659ab8516343ac1314809a426867ff57d8f19bf6dc8a8e12e566b18ed7b6ab8bb4f377a3d047e6d2bd0c481b4744a6409f0b393ea7eb535469

memory/3804-1211-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2249-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2537-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/5728-2539-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/5728-2544-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2547-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2549-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2550-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2551-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2552-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2553-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/4704-2555-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/4704-2557-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2558-0x0000000000220000-0x00000000006D3000-memory.dmp

memory/3804-2564-0x0000000000220000-0x00000000006D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 04:38

Reported

2024-08-15 04:41

Platform

win11-20240802-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe

"C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3532-0-0x00000000001F0000-0x00000000006A3000-memory.dmp

memory/3532-1-0x0000000077336000-0x0000000077338000-memory.dmp

memory/3532-2-0x00000000001F1000-0x000000000021F000-memory.dmp

memory/3532-3-0x00000000001F0000-0x00000000006A3000-memory.dmp

memory/3532-5-0x00000000001F0000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 60d21a39a1b117c3bc3560b0a83aca68
SHA1 2fb017dc561235ef750452792d1673dba85d9a9f
SHA256 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
SHA512 ef5bbef34d70d206fce276fef0c0785685157b3e91baeb908a52d97ac44264dc7b8bb3f1835306e470a48b6e3c24b094318455f6b28e77ced69c74c5446dd106

memory/1896-18-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/3532-17-0x00000000001F0000-0x00000000006A3000-memory.dmp

memory/1896-19-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-20-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-21-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/2752-23-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/2752-24-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/2752-25-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/2752-27-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/2752-28-0x00000000000C1000-0x00000000000EF000-memory.dmp

memory/1896-29-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-30-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-31-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-32-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-33-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-34-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-35-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-36-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-37-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/3736-39-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/3736-40-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-41-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-42-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-43-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-44-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-45-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-46-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1364-48-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-49-0x00000000000C0000-0x0000000000573000-memory.dmp

memory/1896-50-0x00000000000C0000-0x0000000000573000-memory.dmp