Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-brscvs1gkp
Target 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe
SHA256 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c

Threat Level: Known bad

The file 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:23

Reported

2024-07-06 01:49

Platform

win7-20240705-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8DCA001-3B39-11EF-8EE4-CE397B957442} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fab18e46cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000001456e8e9fe18e8d13bbcadbd3fb97f0968d391437cc55c05356c54087a593ae8000000000e80000000020000200000005864e8ed884a7dbf9b8f115186b2b8fccf1699beda4afcc92f173efbe97734b390000000bf9dce60e806d85db5cfd5c2cb0589b9a2c7f42bf431bbb62c38c7712e47af363eec8af48bd90ec4c6fbddc8db68db767f6e74becf62c4f3384aa0d11bc83d7864413fe13b7f24eefe68e055115605009f89e1854d7e0473fda916d39eede1b010e083f843a4ba5335b921f206588c5859a2f9fe7198f535755a78924b103f8affac49e81de50556c0770efc6dddb53d40000000c1ae3153c93496d3446fe6ba577068ce6a6eb53edc24d656210bccbc44eb0a29c3ea966512d7ffd12970c307fd72c9974737906bb90d062e8b4f4acae51bfa31 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426392325" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000763597471106cc57ec8f17a9bae8b438c69348470adf512ac6e58e5a005bf462000000000e80000000020000200000006ef7c248c44d7a18dca29e640537c61e399c5a92000509fbb7bb7092c92fc1492000000009954101a9544f4323ee4c845faf0bb8e9ab82d693292d9ff9cc5fc53135d6c440000000ecd56744980f52947f11855131a08d36ec2281130c24c5fc025acc15848ecd91d7d36d446c8278f427be5012675a8e08a62b8ce77fcf80012b6a5485f71c036c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe
PID 2032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe
PID 2032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe
PID 2032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe
PID 2324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2132 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe
PID 2132 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe
PID 2132 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe
PID 2132 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe
PID 2132 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2080 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2080 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2080 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 992 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 992 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 992 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 992 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe

"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJDBFCAEBF.exe"

C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe

"C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\ff3c1955ef.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2404-0-0x0000000001030000-0x0000000001C1E000-memory.dmp

memory/2404-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2404-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2404-65-0x0000000001030000-0x0000000001C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KJJECGHJDB.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2324-96-0x0000000001290000-0x0000000001738000-memory.dmp

memory/2032-84-0x0000000002030000-0x00000000024D8000-memory.dmp

memory/2132-119-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2324-118-0x0000000007030000-0x00000000074D8000-memory.dmp

memory/2324-121-0x0000000001290000-0x0000000001738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\dc3068723f.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2132-138-0x0000000007000000-0x0000000007BEC000-memory.dmp

memory/1064-141-0x0000000000830000-0x000000000141C000-memory.dmp

memory/2132-140-0x0000000007000000-0x0000000007BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\ff3c1955ef.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/1064-160-0x0000000000830000-0x000000000141C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jmgc6we\imagestore.dat

MD5 ac3f05ae1e6c4b4c37c47d01fefbdf54
SHA1 d145fda2de83f9b626d2f908506f90e0baf9dd57
SHA256 dd4e7eb78f662bd9b6a86501dfa1c19376bbe4ea9d118bcce7b6c2ca74f131c9
SHA512 5c283ddc946f83a37c62ef6ebcd9a4ceb44eeacfc737ffc94982c12831bb3fdee87f25289c3833dad699823ce571603883200aa085ca90829801cfd88cf2ee2e

memory/2132-237-0x00000000009E0000-0x0000000000E88000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70fc1f32bf6924ba2e3046b5d4f0c899
SHA1 728b0729e5eaece7267991e5914f135635d877d4
SHA256 25eaedf51777c748e22b5452dd550fa1cbb75f9b1ce5394ada833a6238c8ec27
SHA512 756a7245543af8b0d0bf5590acf42466c283f77d31e6e0a30f5e94812a9e421cd4f290c39f229a0f23221f61d61489283140019416ca9c828510557124bdb323

C:\Users\Admin\AppData\Local\Temp\CabEF61.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEF60.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 865d0613594c00dcc44860094fadd773
SHA1 0e8de9a3b5a9218992baa2a967bd2922c0576dee
SHA256 918ff2b46755def71cab613b04b4b0ea7c7a65fd87ec67284cae01651f7e206c
SHA512 5483beba3fda2072fa878229142542456ec4132acd4df0860efce7cac31b4de6274513f9a97735c54fb80e98348224b1ece8e43d45555e0ca2bf1e3f32db7a73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1819678819fe4f8716908eddc1ffb895
SHA1 f6a27f03e17f9c5273a43f7a73c1f700d0682c41
SHA256 4d2ff5cfcc887eab2adc2634c1b9be083527d39017f00f0c3db21b348ea74b52
SHA512 d71bf8a3dd5b0c425c01c332258dd314dde4e4f39be259533ce2981c0da1a06032777991d0fdeccbd0a1d9c219bf8de0bd73f5930ba6dc4411c96e73f8f17de2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 899d939e6e00612692f75f6895cb4019
SHA1 67e46391bd036dc80659220ad56e6c086089786b
SHA256 df2df4e7261deb2823cc2a1576e2b1de7071463e4ff87cfeea257bad9e6cb4de
SHA512 114a72daa01b7b8c44b8f0b16965b94a44d683534da0a4dae04971d3804d9674f8e0833eb373e213402ac67fe7e8f3e1cbbb33b5d0527bd73c217643dfab4069

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 956bf3532d6cbaf5b7e57e7741d9a33d
SHA1 1af238bcef6c3423b64c19c93b25a31149733190
SHA256 150bf8cf514194ff40186c2c7cae351b539a974c60037dc3d98bb096f84d399f
SHA512 f67059d1c2fc0f9e6050ac21a3b1f7903539bf348e8324ee110daf174d890848b1ac575d6fc43589e1cd38e384f722e041f79e0149d879ee7c3a12e79307fe35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1878b55adb12eb6da20224d7494432f
SHA1 3fe9557dc6b0a342c3ddea45cf58ce9ad1f9863c
SHA256 bce20015f7f1be23b297bb23419d59a260d15735e32693c914faa7c147849ff8
SHA512 1c6fab6da1b243156aa4a0a8849dd0ac705bfe9fe381c663c53071a9da7ab67f52317edab99bf1df3fb8af002a5a622c5ed94f43295fe0e039f064d94352a0ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07fb6c5d59f929993d1e409c2a20853c
SHA1 a1617b489f9863025c548d506714ec320ddcf3e9
SHA256 7e46343a46b919183de7ade475d14b9cc2f94365185fe2299846d447f803d4a5
SHA512 5e2078b1216cf78f7e69e35d91b5a6eb8785ac59d639bcd7313b728277da73a71d019d70991846c77f3e629bf90e02dbf030777149340f269409b108161ed3a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09d9673abe8d4820d8c69d733f76b036
SHA1 e945066339457b2639aa699e8e89b01c45ddd9a3
SHA256 63a14fc38d6a232d4125090e74fc6d614d11c81f4f152b1e1809ace64dca4287
SHA512 0328d342318e2638ac141db3f2bc9e8737ee0e86403dcfea3e4cf924ea47251a3b906136d500b76f7025490a68479b8e0824d97c408880713c57206576f2bd52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e6c75b8ddec0b96ba4e4b9cf9725ca
SHA1 5671366f3dc9b90befe77159cbb02bc24b2903a7
SHA256 bc18451058e230cb750c9a04eb90169813dc45a2a900c42cb08651632cc03df1
SHA512 d3f9cc2152b5f1ff9cb8a1d135d7bc22dcab5bed52876cd0a4353f1c93c2096d4256a5a65032fbeecc639e3bed9aa3947d2a485f10ed9ecec7109f4de18aea44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9063bd54ba4dc42eef510cc44aa375c
SHA1 5abab963f4ab05a7fd67805952edd0b2ba5eacf6
SHA256 f1b1560e62eeb64080a29c68a35099d795f2672128b47a030f14157b14d0bf9b
SHA512 6ec04e09d2a1d1dee5a4c8c572c6b2ba84b27a2668e6a6e37d56f45508d8ce5086187ad9d5c6ae44c348c97c619dc273ad2f5700e64fea130c1f1393bb42b6d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e277d65aa0c67e855adb1d114601359a
SHA1 c801b9c78af9458facff9ec2b85e182e08ac62b3
SHA256 25ce1ef5454d861fc5d1591cfab66748ee333e1c6b424163215da47590c92099
SHA512 e41a68d344d67fa1730718709438f4f684921a23dc8397c634923f9c2de26ba8ea10510b765d1f8d578d51afa4bedbf3b68836396c0fd0e685c4e9138b2c3a9d

memory/2132-667-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-668-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-669-0x0000000007000000-0x0000000007BEC000-memory.dmp

memory/2132-670-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-671-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-672-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-673-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-674-0x00000000009E0000-0x0000000000E88000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c732ad80b466cce11441c31d93739bb8
SHA1 7c93ccca57cce6f7329710f0dfc8775518f6ed53
SHA256 ca9be3d54e1704e66edf3c722a8e76161e832669f1dde65c33489f93441dfcfe
SHA512 ef29b410bd1a567f93603551affe8e5381d138fdebfe36cfc8943f28c13986057db5e4b95643c9788385dc9632f316e8f2f9566e3c0bd64d500cd77d200cfc63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bba261a5bfab67913ca1204ec7cdc1cd
SHA1 8d646feb473f2f83156f57206f2a98676589f160
SHA256 6a051dc7cbe9f2979e566bfe058bd61d2707bbc505c82121388cb35b705479e1
SHA512 055669a6dcdf7132af1f1a544c8afd14cf53ad973ba8ac2481b71f2e3472037cb0f140a5ca0f40f91fb2eb729686b086eb352e6fb93c44c028e2199c96b7a829

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c4b1834464f455752efac0e2ed9b52c
SHA1 08c48886c0832baa6eee63085b6f83548afaa7f2
SHA256 33cde8e2312c746535272ac90e5d12570c5c49576994ac023f2ab81ebd4bf01a
SHA512 57128b60b963539b9a1f2080cd31439ab208439b5a2211f3c7116bbfbd1067373ea1debcfe5b88f620c1aef599cc91d9cad0407be80563f80cf5efa9a433b0a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d94ee1444287fc3b64c406903767e798
SHA1 f1871658b47ab785074975ce912feb904e393be6
SHA256 5fbbbb657f58bc645d1b258f7f37c7c815c45533153bb34ce67a04b59c42930f
SHA512 301b19948f155f0594fd1ee4c83551db3583830261dde73f4f1b793d2607beb32254d6be6124ce252a0dd318bd307cf64a8a0430c19fad0f10b96c19a651b8d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d6dc08363b041084c8de6e11bd338d9
SHA1 79a9fecd82ee000bd724a0a2ecd1e3d550289ec2
SHA256 ace5ce25a6156c25003f3d27a45494402f29bd3bcc82a2fce6d65cdc6cce7d21
SHA512 cd8199a94501147a97423cfb51cb87453d76575b75fb9e3b5d17e35c2f1b88279269e178205e1c3e6582045b7d60428bf27f0813678ab9e065dd6f59403b0bf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76d27cf23c6a213d94bcb1c562b99bbe
SHA1 81994705c601f299ab2678b7e82412d3dfaad576
SHA256 aa077cb7efa09d6cec0e3dfdf713398aa765fd2dd5989f4daf421d9e7b4abbe3
SHA512 eb2e543fe7ddf7d443a9c8a7d3a48a4e9ae1450af1d8a6f08c07e045f7ddb3ff4589d443c40f23b0184d56b932fc6a3d113f519e3aca2e73a8e6de9a01c231a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5627653156da61e2e8f6d24a1e8d4f0f
SHA1 e12d66d46d992e7fe968c5cbae61953a41c36d15
SHA256 9a7ab65cd1e7e94cd9e317c04e930156ba32efd5cac2202cbd4ec0b5ec5400ec
SHA512 ce1e4f9d5fb305d214670c252f0cb02d6944480f1f1ab3f62e7c7625a92ce2e8cb8b39c875db2230dc9f9224a69415f0d6cf34b5c40e5fdc2614a263dd320e83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebfe0b63fe80db1dca7f67edbfd3e600
SHA1 4643539a2578474ca497ae7139544d0ec322ea8d
SHA256 8fb20d2a949278e60749bd5d441e2d42bcbf2360bf84e015c88c15305cf26d6a
SHA512 12c40a1c75d138c12fdb39c550bcaaa25fe547ab3fc1d00b441ed1058c9bbf6014a129b56270fd2eebb19e6fa4ac788aafc175f83cfd8e04386a61be7ec8d11e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d68aa08228a5bb97a6e8fd6ca2605ca1
SHA1 6e3b17dc0d95d887376162e3dead5ae17593ae6c
SHA256 024dbd8e16233dd664fd8fddb8cfe06b725db746f2fbe8ddcc9899f7b24aeb47
SHA512 a4549f9e0d082a2292e97dafefb689f8488503124fedf2bdad882caf7e04ade4925de9d042fcc6b7f92437bce28fc19f414da1bb834120cea24fb065d0b76462

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b12d240bbfc9551303e2b774f455793
SHA1 3c2c3247cacd073ecf9cb89d1887280fadc9100f
SHA256 076ed59a4730628436f246e0de01b780c9601dce55faa6d83676adb97eab70d0
SHA512 100b96d05b5afc18254b5230e93b8c89998a02e88d86b49b53d873618bf265c487e90d0060200cd9df5792e28c85c330a520748c0f2fd0f76e70343d6064a301

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a3d443a4fdfe07b93c070d6ef2c63fd
SHA1 57a9cb2827ae1744e3ab8426dcf2fd914528c144
SHA256 16a08b8889462468b008b67dc1b9b0395f959e4233d8294d0415930aed4c9878
SHA512 50251db639125bedf975a6ceac449f256855c3290b35fd303d86fdf9e372ff7189df483e3fac5ed9abcb5e62c2f47f39e9d0118700bf9162f216611be551b5c2

memory/2132-1107-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-1108-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-1109-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-1110-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-1111-0x00000000009E0000-0x0000000000E88000-memory.dmp

memory/2132-1112-0x00000000009E0000-0x0000000000E88000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:23

Reported

2024-07-06 01:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"

Signatures

Stealc

stealer stealc

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe

"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1380

Network

Country Destination Domain Proto
RU 85.28.47.30:80 tcp
RU 85.28.47.30:80 tcp
RU 85.28.47.30:80 tcp
RU 85.28.47.30:80 tcp
RU 85.28.47.30:80 tcp
RU 85.28.47.30:80 tcp

Files

memory/4412-0-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-1-0x000000007EFC0000-0x000000007F391000-memory.dmp

memory/4412-2-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-3-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-4-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-5-0x000000007EFC0000-0x000000007F391000-memory.dmp

memory/4412-6-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-7-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-8-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-9-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-10-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-11-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-12-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-13-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-14-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-15-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-16-0x00000000001F0000-0x0000000000DDE000-memory.dmp

memory/4412-17-0x00000000001F0000-0x0000000000DDE000-memory.dmp