Malware Analysis Report

2024-11-30 22:08

Sample ID 240706-cam79asdjj
Target ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe
SHA256 ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14

Threat Level: Known bad

The file ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:52

Reported

2024-07-06 02:09

Platform

win7-20240705-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426393487" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D5B20E1-3B3C-11EF-9988-DE81EF03C4D2} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000d6752e52bef86eb1933ce3209eb4d1142b824038812ca061f6d9ebfbf98fa0b1000000000e80000000020000200000001122f9d9f6939cd7d265d8487162a3bb736eda07ea5f1a48c4c1035e6f2e0aa2200000007f29d4e230666c68350770075e53d105ffce6ec2c9e8c0da5a7c102915b7cb594000000048cd965d30a8020db76d41271aa75b755a7982118346b0da4c90a180775e4c067aa16b576a1650abd0c3f3f70ac9075295c1304cfd0b51c9cfb66a36fb87ecfa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000000a3000148dddff5c4a3a50dffafca488800cc621349056d8b2abf35af898f9d6000000000e8000000002000020000000479e74edefc2e55de52356663d2ee517288af95beae2717359b2b520c29c946b90000000e900594bb800c8452fedece696c55a9d0c44957d8273164ad64adbbdbcb96e61d9bdbbc5b11bab5a57c36561ed457e314711508fd8f57f9c382878c9741201c363b5fdc47f1be14bdef3abecec003aefb36e1d1c3b319bb9df9ba6e58aa3935f8053053a4c2eb760b17a536f4a7bc2175535613c8fb6bca25cebeb5d4ceb05d2b3f793d87edf1fc1e9fd45973897f77840000000995fbebb575297d91815b552ad1a2abaff664b4dbc9e07eaca9d00c06853ecac085dbfefb5162df06241a6288cff8cc9835380d39498b75ee1a81a2fedb3a98c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806dd34449cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe
PID 2680 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe
PID 2680 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe
PID 2680 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe
PID 2912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2912 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3048 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe
PID 3048 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe
PID 3048 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe
PID 3048 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe
PID 3048 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1896 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1896 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1896 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1648 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1648 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1648 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1648 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe

"C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHIECBAFBF.exe"

C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe

"C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\9e40b1b9be.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.99:80 www.gstatic.com tcp
GB 216.58.201.99:80 www.gstatic.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2536-0-0x00000000012C0000-0x0000000001EA7000-memory.dmp

memory/2536-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2536-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2536-65-0x00000000012C0000-0x0000000001EA7000-memory.dmp

memory/2536-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JEBKJDAFHJ.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2912-102-0x00000000002B0000-0x0000000000758000-memory.dmp

memory/2680-101-0x0000000002090000-0x0000000002538000-memory.dmp

memory/3048-118-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/2912-117-0x00000000002B0000-0x0000000000758000-memory.dmp

memory/2144-120-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2144-119-0x00000000002E0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\d37a51d51e.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/3048-139-0x00000000068E0000-0x00000000074CC000-memory.dmp

memory/1812-141-0x00000000010F0000-0x0000000001CDC000-memory.dmp

memory/1812-142-0x00000000010F0000-0x0000000001CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\9e40b1b9be.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/3048-170-0x00000000068E0000-0x00000000074CC000-memory.dmp

memory/1896-182-0x0000000002250000-0x0000000002350000-memory.dmp

memory/1896-181-0x0000000002250000-0x0000000002350000-memory.dmp

memory/1896-180-0x0000000002250000-0x0000000002350000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

MD5 04a00c6fac70560d3a35a36a160c33e2
SHA1 eed2c3224a5bba772be8786b5937b6ddb67d73df
SHA256 1c251676757ff88ccb69ff3da4c9afbe333ab2f89241393bc02152570c45676e
SHA512 73fbbaeef4abefd03862ab61933237d853e2ee764fdd16f409063dd52b61375d37480f2cdffb6c4c2a0171e96e1de0503344f8674e520a70fdd8d4eb9352f11f

memory/3048-234-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/2680-235-0x0000000002090000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A0E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2A11.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01d114a475837cdbac4f353acd708b1f
SHA1 9a37f457c267814371e37b7d9939da6255c7d05a
SHA256 e2a4a0a80d372867d39d2eee32c8d582392111bee6aa8e372bea8d403d8b45f9
SHA512 bf8d6e6d550ed8aa229e207d1c780ba77fe8ef7e8b6f75ae532db8bb4c2ead79b90a0cb79554fc03e385707cf9c06f5a719eaaadfd0925578e93ca02856adb66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b843ecb8b9a24d3c11b4a7c08722e3de
SHA1 1136ee2058c4a356afcf849507e0491c4f77cb2c
SHA256 756db427c1eb453f3b36436d58b6a92c4a61cace74edc36e8be091a766e296c2
SHA512 3c05682d615b5e62f18d9fb44d5aca5fef68aac4a0d7d66faadcd9576834a4e862c81c8de0df1865d7ec5510b4d4d7deea7c634340e26f324822b3b508113771

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 154efa8571595eb794a821384eb4e12c
SHA1 54bf9551329c3e657ea92d08fa331e0b68173fd0
SHA256 e1eb8875e69a35a895061df5cf68db8f534a2e58686cdef7727f0b722750cb5f
SHA512 b2c7b40f97e4dbce2c15565ad563d532b6a96c2e92fd735cefd7d64dff6fcd011e57553969b491d60fc005dd0cb3958983b53124a0139b67bff0a1683bbaf539

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbde9292337d7af2c6cb023a7e63fc4f
SHA1 c68dcc88557a24c3e3bc9bd17e4e7ac460e354e6
SHA256 d027d89192fae9490f804d184f27dc228de7c559c10d98c7d629cfc61d5b0cf0
SHA512 b7618b8849cde1cbb8e3813b2e0e76f68740e3f124632f457bf76196a8378aca5664e89fc6104b9b0e44a90d7dd8a66ecdfd6a9b436dc41566527f7f5025d547

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbf6420463ee4141010faee125e3d8bb
SHA1 cc7876e4a62ad78a8c1af4ebccde8e613a1acc99
SHA256 b3439e8f42525f193e9b1ab91c2d576305c233cf61e7c096c0499dbfba1dff80
SHA512 5f1009cc37a80fd9b373bef73d8b5555a351d7a3614b4014288d7960c68b6af771e481c073a1a0fc020cd6f0c26affe2565d46bd1050a58ad1f0db0f4e18a586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c25f01c5b2b3a96ce98d5b9dbf5bafab
SHA1 63a1d0cb521364f4900ee959d09de05242e74eae
SHA256 8816e0b22553f343be2c42eca9c9a6920664b65299b02e90be790715c669545a
SHA512 64993ce9caf2b14c0d3a43db265da1124a7d2887bd9ab355bb2690ca3946ffb5d7a3c5ea18a45c3e56cf9d5cfab71f1c97474a2d9e346e33bace8dc78f40654c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4edb9979c60768175963d40c2ba247d9
SHA1 91d25456d43cf4709fab3e935a32e3bf947d637d
SHA256 b65bed82d4f6c2dda8cb4a39d6e3727facace37d5c30ebadeb51920237fa7760
SHA512 2a216cfa1c20de9a310f209fdef857fe6475bf906d0b68fc5959107837def45141e21a64fce06babd64638e06a53589f9db250ddb8690d37577c91358123f59c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f7b320423335631d883c1095ef7acaa
SHA1 c597683f567f94d15713f44c48075809508f247f
SHA256 a6dd97fc491f5b82f61857c97584b9b8ed0a13bbbf126474219f942ab106c295
SHA512 71dba52f7b482c1d92f582f99a6d6db3a95001aa2dac90080edda2acda028830684d91affbdfb9ae9e53f915f958a06b277faae93d68a08552d7465ec39fcfa9

memory/3048-664-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-665-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-666-0x00000000068E0000-0x00000000074CC000-memory.dmp

memory/1812-667-0x00000000010F0000-0x0000000001CDC000-memory.dmp

memory/3048-668-0x00000000068E0000-0x00000000074CC000-memory.dmp

memory/3048-669-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-670-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-671-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-672-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-673-0x00000000009A0000-0x0000000000E48000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b64fb89d86487e6e9bdd2ee256a7caf4
SHA1 13951372ad8f52fbb93a16ddc6e0e3d26a024019
SHA256 ed622e3ce650c341c571f132a8e219cee32f45965666f396d8ef8caf02901829
SHA512 61c1ad11b7d998cd12e40d5a206ad70013d7769ad427d8a1266e19febe09458c1fc43b6eab784c4a7c7eab243944ac83a25c4fd85ed4eeedf8b2a8ce8cc850d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71f8ba84031b7ce00e37c777422e9844
SHA1 fd35a156574f7b4fe06fd328fc3b14aa09253785
SHA256 f37503439a97aec5c591ca3891b5dc037f1f5caab9e97ebb727f923a3415a548
SHA512 e2141b87b8546694507e6ce87095674630c72e0029ef13d27eb7a93c326c2e42e1c268291545ae8938a530136661c8e4763c8a73db4411374ddd7aa4ecd6689b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd83ceeda96855e799e3ac2beaa7325d
SHA1 7ae1cbada82f8c5a80ec5f857fc78fb3553ce3d8
SHA256 48a2fd239d4d6e441f0dd0924c03b27810ff2266cf44b4260d85cf6f6bbe4606
SHA512 427a5082090e6e465c91fb556e207d5d5f821ec6c8df8425e4e536d6815c7cfd5942c414bbab42bf0300ebdec7122a56913292484c1be1fafea8b3a676ac76fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0e40a145df0723e83d469cb296b29d9
SHA1 0295ac43ab2762a9cb2a9c0a6d45ed5b40b1a0f0
SHA256 3dc0443344ba96873c7d5aaedc44bdda093283f3d2bf6b865e157509b3ebf1d7
SHA512 241702b7f0ac5705b43c9f3dff624d67f7ca393c882a8b892301eea5e5e28fe429c84b7b6740a49092b7ec55eec4a819f59840e722033fe34bd5fe8f1a70f324

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b2086470d0a0f36a55f5f27c0ee2367
SHA1 ed7e6e6e00fea10e9293602d74a866a3250e16aa
SHA256 b455b7705df63c0a213edb336ae45729c5f3991a955a0aa37f17a9ac35f42f19
SHA512 077af21a268111a289da51b7c3d8bbca847c48c61235377f8d674ff7748be670a03920991c511dc733222f6b577a88d53ae459ef7c1c58899e9a7567aee099d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 960ea9eefc446ccb4d73a64ad5afba45
SHA1 1288248524d0d3a067e5f6a378f3a2112a5a2a8f
SHA256 669ea85d0e6481c794fd973c1b7b1898a368a87b9b29d644d5c27ab085f5a6f4
SHA512 e106b115cf06fb74e2b29a051ee92dd68dbd196d90a26411dcd7d55392351a1cb9b5aa4f6d2429429c4075ebec2c526e9f5c96f6e263615eb9439e82a4f081ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02e9155e4a9117a7e5969c04c1f69c5c
SHA1 d234e10621612060db306c784680c710dfef3c34
SHA256 5f0cc7b89680ee13056dc8ba9ed7df267571f3e2a6bcfc1f2dc31038eccb8acc
SHA512 3bc6618ae2016b7a5c5a0e52c92971788809d581541db1b5922a593b1fe49ed7ae6cc739348a63049b45d3399ec1b114d9d774f926d2f75b1fe29811a20e33a1

memory/3048-1106-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-1107-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-1108-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-1109-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-1110-0x00000000009A0000-0x0000000000E48000-memory.dmp

memory/3048-1111-0x00000000009A0000-0x0000000000E48000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:52

Reported

2024-07-06 02:07

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3864 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe
PID 5064 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe
PID 5064 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe
PID 2924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe

"C:\Users\Admin\AppData\Local\Temp\ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBFCAKKKFB.exe"

C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe

"C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3864-0-0x00000000005E0000-0x00000000011C7000-memory.dmp

memory/3864-1-0x000000007F710000-0x000000007FAE1000-memory.dmp

memory/3864-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3864-78-0x00000000005E0000-0x00000000011C7000-memory.dmp

memory/3864-79-0x000000007F710000-0x000000007FAE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAFBGHCAKK.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2924-83-0x00000000007F0000-0x0000000000C98000-memory.dmp

memory/2020-95-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2924-97-0x00000000007F0000-0x0000000000C98000-memory.dmp

memory/2020-98-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-99-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-100-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-101-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-102-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/1792-104-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/1792-105-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-106-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-107-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-108-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-109-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-110-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-112-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/4700-113-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/4700-114-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-115-0x0000000000E50000-0x00000000012F8000-memory.dmp

memory/2020-116-0x0000000000E50000-0x00000000012F8000-memory.dmp