Analysis Overview
SHA256
6f5a07dbd1e3e8975fded7630b89cfb1fac97928bcecb339a53aa44541973d72
Threat Level: Shows suspicious behavior
The file 2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer start page
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:18
Reported
2025-07-04 12:20
Platform
win10v2004-20250610-en
Max time kernel
104s
Max time network
140s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 46.173.209.194 | N/A | N/A |
| Destination IP | 46.173.209.194 | N/A | N/A |
| Destination IP | 46.173.209.194 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Destination IP | 46.173.209.194 | N/A | N/A |
| Destination IP | 46.173.209.194 | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3555224456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000083fad941d8070d40a2589f5cb25229d600000000020000000000106600000001000020000000459d9dd5fc8a144e8f590df01f4f101821bbf4d2fc0533cb39b048cb14c7a40c000000000e8000000002000020000000a8ba8f5a76c61e9c4e73a3528fd507e5d9048b563bd242044fef7f3387b551c3200000000a544b588a11e4061df10469abeac0d405b8a2a4a7c0ac4d5c8c470be5b031d6400000007ea78be7b7a9505b86dd933e98859a1b7714abd5261fdbb5badba73607d7b4b0b775b7c258ae026842169a7fab71c003a7d3341b668b5c7424cdcb651a05bd03 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31190237" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000083fad941d8070d40a2589f5cb25229d600000000020000000000106600000001000020000000b8cddf7f37d6c5421f5b075cf036c2be26ca0e10c9bcd838b9e2ab60509f147b000000000e800000000200002000000037abb182b783651a4e6df4ba743f8848451000ee664edca014d4ec11916acf26200000003842e37f711bfd3d376e004bebe2878fc710731aca4381ac1a5c8f3d6be85d434000000030d9636bbda095998d291cb58f0142757f0f32eeccc5d3adfccfa0cd68243f2911f864e13f08c1ac407c1ff90cc4565e9614025e87758cee6ae2aea28c545e66 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FF6BCC93-58D0-11F0-B231-CA5E4D1D7EC4} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c71ad9ddecdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403d24d9ddecdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 4960 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3408 wrote to memory of 4960 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3408 wrote to memory of 4960 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.173.209.194:53 | ctldl.windowsupdate.com | udp |
| RU | 46.173.209.194:53 | login.live.com | udp |
| RU | 46.173.209.194:53 | 194.209.173.46.in-addr.arpa | udp |
| RU | 46.173.209.194:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | foodlabs.ru | udp |
| RU | 46.173.209.194:53 | foodlabs.ru | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5232-0-0x0000000000400000-0x000000000045D000-memory.dmp
memory/5232-1-0x000000000042D000-0x000000000042E000-memory.dmp
memory/5232-11-0x0000000000400000-0x000000000045D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:18
Reported
2025-07-04 12:20
Platform
win11-20250619-en
Max time kernel
104s
Max time network
105s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 46.173.209.194 | N/A | N/A |
| Destination IP | 46.173.209.194 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Destination IP | 46.173.209.194 | N/A | N/A |
| Destination IP | 46.173.209.194 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000fe8cad8f41683e5db4ad33a880d7058b6c69096484e1a827844a8990a8d8db73000000000e8000000002000020000000bde89d3c5b529720d27f21f3b5dc1d58387705352ad64c36585b9e4c332d8ea55000000031a9d869b7c9013d6d1beb10a394c072240092eb050f0f12d2252988ba3e78cdab60072a5cc1887fa358d45efdb8d7100e3503257edd72ed50ad23ff13e4427b559a7cc3cd1f01f0dba0deb99147206440000000ea48686277e5e6f8176d80c09c5ccd663d7d7acf122b958f8353ad8e62722ddd3e615d54198b53090393e9a5a71a1f44c5be4a8e5a8b8fc06d56a29ac867a0d3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = ff68669e6ee1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0cf4ed9ddecdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "653568252" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "2ipm9jp" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\SyncHomePage Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000d3a6c3544aa0e3d79e2b8a240cbac050d3db70db8018b13340bc99cc22de8305000000000e80000000020000200000006547a95fb088db2ec10b4bcad2d7a715c60339753f5862e20fafc73e2a643cee1000000076d8b49370b3f07eb9a25bcbfb0e34ce400000002d0de9c96f4e21c12da0b8d3cfface1c4cf896253ab8be10bd256ba2ad0833fb7d2eb818919675f4a3f04fd03a0ce462346641db5a25c5cf965716a7803b81b7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000a3b05b2ac805200a2dd8895c2560fc6abf617897caa7fc4430a8ccd95db7389c000000000e8000000002000020000000493c54d087b9a006f7bdc7c0f58b61e8c32c10a4b49a3b4f98e9d77d014dbe4a20000000ff80527dacbfe39d2d33a7ee3e59d815006ecfb58ae91fc854f8b08ac151f0e44000000017a7b455e712aab53d9a446ad553da21a796807b10fb51f361006f73e66d2f3dc4afd12b496a8f1759d55631ac50e84285994c10bb65f0cc898d8eb076b1ec82 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000321de5727a31ac635d85152db60ba71bc815423c65db223428925fa30bbf2183000000000e8000000002000020000000705b5f119761cac6af6fbfa44c7e446f4e011190343866d3ec4eeba4e824998b100100007450e644c0804d8a42e1a29a189d2eb0fc4b31c7cd6b5b88fd97e62fd760b4fbf8bce8d34a0880dff53ba53389d0d6ee64f6cf5801f7cecb32c05c5e3604c9b605297751b3e0a812126f4b214f88cc3c5d4cd52d80b944907e4973e952ab6681d412936d915fa97956e33f9ae1a8d5e78e0619e39025d5a9210eaceed792eef3a59acc8b32d679b3c947bd5e0fce0f85fff473b4c66e75fb3a95710b285f1a281fbf99f8c74c8c7c62166840a88b89aad72a87ca5760f5b1fc8abb58252cf97d9b84a9f6c1cfe7d075d1b85945c8cca4b54e7754094fa79753dad60b9ad2644cc4ef28114e52b5d7da6d68f4c2dda6f050b6aeca37316ab29a68376812464da4fe4f98a02159f34df8197c2e51a0e079400000008ae6c05790e6bbf9825645b2b1f3fde9e25efa315e39e27da2310df88204efbdc33ca89efdb0059f110876253556fc121e4a13f2751344563718e9f2c3c90fa2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\Start Page_TIMESTAMP = a79e6fc7ddecdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF61E568-58D0-11F0-A270-F25F595D3B73} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190297" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = ff68669e6ee1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:668708 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:668710 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 46.173.209.194:53 | go.microsoft.com | udp |
| RU | 46.173.209.194:53 | 194.209.173.46.in-addr.arpa | udp |
| RU | 46.173.209.194:53 | foodlabs.ru | udp |
| US | 8.8.8.8:53 | foodlabs.ru | udp |
| RU | 46.173.209.194:53 | nexusrules.officeapps.live.com | udp |
Files
memory/2664-0-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2664-1-0x000000000042D000-0x000000000042E000-memory.dmp
memory/2664-11-0x0000000000400000-0x000000000045D000-memory.dmp