Malware Analysis Report

2024-11-30 21:59

Sample ID 240704-rdywgsxfpm
Target 7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83
SHA256 7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83
Tags
amadey stealc 4dd39d jony discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83

Threat Level: Known bad

The file 7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d jony discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 14:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 14:05

Reported

2024-07-04 14:07

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645755349894121" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 112 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 112 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe
PID 4120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe
PID 4120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe
PID 4120 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe
PID 4120 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe
PID 4120 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe
PID 3936 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3936 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 3124 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 3124 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 4384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 4384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3500 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe

"C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe"

C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffd8e80ab58,0x7ffd8e80ab68,0x7ffd8e80ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJJKEHCAKF.exe"

C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe

"C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1896,i,11437236683991315169,18018057241049616425,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.4:80 85.28.47.4 tcp
US 8.8.8.8:53 4.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
GB 172.217.16.238:443 clients2.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 172.217.16.238:443 clients2.google.com udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
GB 172.217.16.238:443 clients2.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
GB 172.217.16.238:443 clients2.google.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/112-0-0x0000000000450000-0x0000000000907000-memory.dmp

memory/112-1-0x00000000774E4000-0x00000000774E6000-memory.dmp

memory/112-2-0x0000000000451000-0x000000000047F000-memory.dmp

memory/112-3-0x0000000000450000-0x0000000000907000-memory.dmp

memory/112-5-0x0000000000450000-0x0000000000907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 daa5da65e432594678ac2510c89a763d
SHA1 6b4a3399215a2890c27eaf28e5dccf099598962c
SHA256 7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83
SHA512 bb197e4109627a293afacb34b83296b5f59f1fcd2a679240cbfc574abd4854912bec17027b4cd3518d869faf2ccca5d5154cc71b01381142503c5a052f32f979

memory/112-17-0x0000000000450000-0x0000000000907000-memory.dmp

memory/4120-18-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-19-0x0000000000F51000-0x0000000000F7F000-memory.dmp

memory/4120-20-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-21-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\5f1fead9ee.exe

MD5 fdaa4171e6b15af5628a055bc7a7bca1
SHA1 0f69f54846e26167777e3d56939adc72ddcb545c
SHA256 230280a480e2b4301c9beed0e5519c1f72f8c5a2d4193b5f69d7a02f6884bb16
SHA512 2ef1076ab306bbd90cc1011c60ae8aab8f626942e3ea2a53e755b60ce1f3865d88302d02395271ee184f3f787baa8b7febd3e9473351932c504f5c6f39185d7f

memory/3040-37-0x0000000000B40000-0x000000000172E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000007001\6992b9a685.exe

MD5 39208494bedde7829599b6a15f58e74f
SHA1 73c8d3d149545b62e6ab2ccefdd23df180a5f724
SHA256 02abed26eebd188e04b5151caee8a6301ad5e6c8bc95d68c702b31807d886f7a
SHA512 8650b487fe19462ea5c941ac7245c8c9bca4f1681bcce7a2156f90a3c1dba267931f02abae1dcc048e57d5ea89bf8ddb6a315380ef36340e4cbbfca4c631f38b

memory/3040-58-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\??\pipe\crashpad_3500_JJJQGXNTPWJUNWXP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4120-141-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3040-178-0x0000000000B40000-0x000000000172E000-memory.dmp

memory/1144-182-0x0000000000940000-0x0000000000DF7000-memory.dmp

memory/1144-184-0x0000000000940000-0x0000000000DF7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9e2eee71f0126ea067dac12b3acfbd24
SHA1 829ab510926c43e22515e17f37e5171d95030050
SHA256 f188955c70e4fc4f3a55fe3fae7c9f2c848b9835510324276c649a894faaf155
SHA512 776b804cf944819ec8466fcc892ec0af0da24645c9a46aac1a4cb1cd14d6686d82423f9df6af15534bbaea67189429650cb84c3b1be81dad7213a3bfb24d226a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fbb3331dbaede21ade4ee5f5aacc73cd
SHA1 0de2d98b0b29c1e7c025c2b5a7e7279899f53d63
SHA256 5660e2aeae99700883e1352da4794767cbab8e27efd3072306e5c54e29338096
SHA512 ebbd1c1efd6ff31ddcade858d47419ebfc30dbed7be25c0f3c50c97d19b82a55d45d9efd91cf0544aab2793856ab3f52541d3704be512f7ec5f74430b724d2a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 67082e59498a9f409b33189d30ef7f1d
SHA1 79a029090f42a9183919a39d5e9a84bc1931793f
SHA256 f22966f249ce912fe3241a7a3b698ccd29caa72390188de482636d0d88c5a1c9
SHA512 15bef34dee6af273be79b21056566ff61c0384a6625231f70fcf16742c663c1fdb52f061ff977a8da0a4b9e6e95fd7aff067cadabf40919f45422b3ce8975c59

memory/4120-200-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-201-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 3f6027d4bfac56a66c2d5dbd816216c1
SHA1 a50170b76e5ea18c46c03aa921c7d1a6df6bab30
SHA256 de93075859c036d6b9185dab372e1c6b55a16d1d962f88dc9241d201edc6d438
SHA512 8d436e2ac7e17d4d0cd67c327f609514f73299c39697c332034bba5a178af1386c9fb8a1c8e88e462394b9a243bd55b7ab3a757beae6ec6cbfbcf9a3f061b8c3

memory/4120-211-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 adf63dc35705c2cc773db0267643742c
SHA1 c50fc6d948ceb794031f0dddc0457935c9a2a3af
SHA256 296375c4275d8e09a040024d5a87553be9a49497c2cc886aacebbe83e162a535
SHA512 ea185ac303188fe7ed83ad46d39cce6ad14475b3e170c5c8566358fa16a0ad27101d59399b63bbb141039fe21848d3cb58314b8074ccf90af9b1b77ad9328a35

memory/4120-217-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/3356-219-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/3356-220-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-221-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-231-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-232-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-234-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 effd396a95940f36371cd4fbd7b4b6fe
SHA1 8c74d99ccc9672de60fb977050c0aa06133150fc
SHA256 3abf2228da62217d074bcb7b49bbd2d3b40fbc14d9c5140e65852ac3f4bdb9ec
SHA512 4a726ee58dc291ae125b9bb9bf17668cc8212b2127b7bc76693464472dc1740b641efb10f101b4de20ddf2dd40c35acde6ed40354a5bd49521511e888be5fe40

memory/4120-249-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-250-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/3464-252-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/3464-254-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-255-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-256-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-257-0x0000000000F50000-0x0000000001407000-memory.dmp

memory/4120-264-0x0000000000F50000-0x0000000001407000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 172aadce488a4217d98af6aa7d1c4cd6
SHA1 7e1d219d058a55a6fa1369b6407f7d8664ae8ffb
SHA256 8423d7a1cc0879db516674e6ab8cb1c4a69b1efe8e091b4b188f395c5d878b6e
SHA512 59fa7b74758a49d534c2c4c55822005d01cde1858b28ea5ba3136ee42de8c29938d7ec022a0bad27278e5b8fd637ec0b5271539bc8d78ca7f64949e29e72b193

memory/4120-274-0x0000000000F50000-0x0000000001407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 14:05

Reported

2024-07-04 14:07

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe

"C:\Users\Admin\AppData\Local\Temp\7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 tcp
RU 77.91.77.82:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4596-0-0x0000000000D50000-0x0000000001207000-memory.dmp

memory/4596-1-0x00000000774E6000-0x00000000774E8000-memory.dmp

memory/4596-2-0x0000000000D51000-0x0000000000D7F000-memory.dmp

memory/4596-3-0x0000000000D50000-0x0000000001207000-memory.dmp

memory/4596-5-0x0000000000D50000-0x0000000001207000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 daa5da65e432594678ac2510c89a763d
SHA1 6b4a3399215a2890c27eaf28e5dccf099598962c
SHA256 7111ac76c4d22382e60b0d07a32ac1ee200f37f76c42dce5854f7fbe26459a83
SHA512 bb197e4109627a293afacb34b83296b5f59f1fcd2a679240cbfc574abd4854912bec17027b4cd3518d869faf2ccca5d5154cc71b01381142503c5a052f32f979

memory/4596-17-0x0000000000D50000-0x0000000001207000-memory.dmp

memory/3580-18-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-20-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-19-0x00000000007D1000-0x00000000007FF000-memory.dmp

memory/3580-21-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-22-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-23-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-24-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-25-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-26-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/2520-28-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/2520-30-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-29-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/2520-31-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/2520-32-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-33-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-34-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-35-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-36-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-37-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/4592-40-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-39-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/4592-41-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-42-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-43-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-44-0x00000000007D0000-0x0000000000C87000-memory.dmp

memory/3580-45-0x00000000007D0000-0x0000000000C87000-memory.dmp