Malware Analysis Report

2024-11-30 18:47

Sample ID 221228-2z57ssbh47
Target 094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
SHA256 094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a
Tags
cheetahkeylogger agilenet collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a

Threat Level: Known bad

The file 094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe was found to be: Known bad.

Malicious Activity Summary

cheetahkeylogger agilenet collection keylogger spyware stealer

Cheetah Keylogger payload

Cheetah Keylogger

Executes dropped EXE

Downloads MZ/PE file

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

outlook_win_path

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-28 23:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-28 23:02

Reported

2022-12-28 23:04

Platform

win7-20220901-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"

Signatures

Cheetah Keylogger

stealer keylogger cheetahkeylogger

Cheetah Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\%tmp%\dbghelp.dll C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1064 set thread context of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1064 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1488 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 2032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 2032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 2032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1488 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe

"C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb1b4f50,0x7fefb1b4f60,0x7fefb1b4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3628 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1116 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1020 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 /prefetch:8

C:\Users\Admin\Downloads\kavremvr.exe

"C:\Users\Admin\Downloads\kavremvr.exe"

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

"C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe" ?C:\Users\Admin\Downloads?

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 accounts.google.com udp
N/A 8.8.8.8:53 clients2.google.com udp
N/A 172.217.168.237:443 accounts.google.com tcp
N/A 142.250.179.174:443 clients2.google.com tcp
N/A 8.8.8.8:53 dns.google udp
N/A 8.8.8.8:53 dns.google udp
N/A 8.8.8.8:53 edgedl.me.gvt1.com udp
N/A 8.8.4.4:443 dns.google tcp
N/A 8.8.8.8:443 dns.google tcp
N/A 34.104.35.123:80 edgedl.me.gvt1.com tcp
N/A 8.8.4.4:443 dns.google udp
N/A 142.250.179.131:443 ssl.gstatic.com tcp
N/A 8.8.8.8:53 ifconfig.me udp
N/A 34.160.111.145:80 ifconfig.me tcp
N/A 8.8.8.8:53 mail.tshwanemuslimschool.co.za udp
N/A 102.130.122.225:587 mail.tshwanemuslimschool.co.za tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 tcp
N/A 142.251.39.110:443 udp
N/A 142.251.39.110:443 play.google.com tcp
N/A 142.251.39.110:443 udp
N/A 8.8.8.8:443 dns.google udp
N/A 4.59.181.216:443 support.kaspersky.com tcp
N/A 4.59.181.216:443 tcp
N/A 104.85.0.236:443 assets.adobedtm.com tcp
N/A 52.19.242.51:443 tcp
N/A 4.59.181.226:443 autocomplete.kaspersky.com tcp
N/A 172.217.168.202:443 content-autofill.googleapis.com tcp
N/A 4.59.181.226:443 tcp
N/A 15.236.176.210:443 kaspersky.d3.sc.omtrdc.net tcp
N/A 52.211.247.227:443 tcp
N/A 54.229.62.148:443 tcp
N/A 142.250.27.154:443 stats.g.doubleclick.net tcp
N/A 172.217.168.202:443 udp
N/A 104.110.240.169:443 consent.cookiebot.com tcp
N/A 144.121.3.184:443 tcp
N/A 144.121.3.184:443 media.kaspersky.com tcp
N/A 23.222.36.151:443 consentcdn.cookiebot.com tcp
N/A 65.109.109.243:443 kp-chat.craft-talk.com tcp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 88.221.25.153:80 apps.identrust.com tcp
N/A 23.222.36.151:443 consentcdn.cookiebot.com tcp
N/A 142.250.27.154:443 udp
N/A 142.251.39.99:443 www.google.nl tcp
N/A 8.8.8.8:443 dns.google tcp
N/A 8.8.8.8:443 dns.google udp
N/A 142.251.36.14:443 sb-ssl.google.com tcp
N/A 224.0.0.251:5353 udp

Files

memory/1064-54-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

memory/1064-55-0x0000000000440000-0x0000000000454000-memory.dmp

memory/1064-56-0x0000000000600000-0x0000000000608000-memory.dmp

memory/1064-57-0x0000000000620000-0x0000000000628000-memory.dmp

memory/1064-58-0x0000000000630000-0x0000000000638000-memory.dmp

memory/1064-59-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

memory/888-60-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

memory/888-61-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 91c9ae9c9a17a9db5e08b120e668c74c
SHA1 50770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256 e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512 ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 91c9ae9c9a17a9db5e08b120e668c74c
SHA1 50770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256 e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512 ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

memory/556-64-0x0000000000400000-0x0000000000424000-memory.dmp

memory/556-65-0x0000000000400000-0x0000000000424000-memory.dmp

memory/556-67-0x0000000000400000-0x0000000000424000-memory.dmp

\??\pipe\crashpad_1488_INPYUWBHOGUUBGWS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/556-69-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 91c9ae9c9a17a9db5e08b120e668c74c
SHA1 50770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256 e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512 ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

memory/556-70-0x000000000042003E-mapping.dmp

memory/556-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/556-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/556-76-0x0000000000430000-0x0000000000466000-memory.dmp

memory/1748-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\Downloads\kavremvr.exe

MD5 ad6493be2aab2633a27399c9f671150e
SHA1 5b3f4644c68cc0169076c82c4c14ee5ce5c0b3d3
SHA256 a72044f5ca07bdae448d680f9b6b55efe0ff95aca5c29b172dadf810455274d1
SHA512 9e9164730434c6a52581ccafa00b2c0c0d44e336a739cedcecb9e9011553b748c110125893c2a586e1b2072a551cac2083a31a2cf4b14f11b2f4a31d65802045

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

MD5 dd766fe4a4a2c7f9a42df2ff4f351125
SHA1 757ce357ced79e84c11f10d3dafc6be1388ce65a
SHA256 3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4
SHA512 c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

memory/2956-81-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

MD5 dd766fe4a4a2c7f9a42df2ff4f351125
SHA1 757ce357ced79e84c11f10d3dafc6be1388ce65a
SHA256 3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4
SHA512 c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

MD5 dd766fe4a4a2c7f9a42df2ff4f351125
SHA1 757ce357ced79e84c11f10d3dafc6be1388ce65a
SHA256 3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4
SHA512 c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

C:\Users\Admin\Downloads\kavremvr.exe

MD5 ad6493be2aab2633a27399c9f671150e
SHA1 5b3f4644c68cc0169076c82c4c14ee5ce5c0b3d3
SHA256 a72044f5ca07bdae448d680f9b6b55efe0ff95aca5c29b172dadf810455274d1
SHA512 9e9164730434c6a52581ccafa00b2c0c0d44e336a739cedcecb9e9011553b748c110125893c2a586e1b2072a551cac2083a31a2cf4b14f11b2f4a31d65802045

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

MD5 2bc9f78e0273bc92ec3205d22b8f25f4
SHA1 0118a193d27aedb2ac2aa0afa7b91a4cde2a0f3f
SHA256 6d8ea3b0ac5899d9a92c788a481b909239a241a5206cc30afce7f68ac93d761c
SHA512 6c00d7aa37c870531bba57aff1c6b4e667bdc3f155be58af6c73439c87b8bf711c75ef6c85c5e45d45824ff44130eee50ec870a9dc31e6e3803ff90325df22a8

\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\jkbasuy1\inidata.dll

MD5 96b55ef08b994117fca3f633f9dd27ec
SHA1 1b30f03ecc0640f86444b0ce5d37dbecc90ca031
SHA256 758008c3d1390e924107e6b79dda800f5d83fe1888d0c54e47570c078696bdfe
SHA512 536f89089c8801a80f32d4f692c7c017fd07e98670f1d2669017e0737678b5379dc423ca2d45958d4dfe5b86bc5422a0aeffeb90e9931bba8428ce5353a2d1e6

\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\jkbasuy1\inidata.dll

MD5 96b55ef08b994117fca3f633f9dd27ec
SHA1 1b30f03ecc0640f86444b0ce5d37dbecc90ca031
SHA256 758008c3d1390e924107e6b79dda800f5d83fe1888d0c54e47570c078696bdfe
SHA512 536f89089c8801a80f32d4f692c7c017fd07e98670f1d2669017e0737678b5379dc423ca2d45958d4dfe5b86bc5422a0aeffeb90e9931bba8428ce5353a2d1e6

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

MD5 2bc9f78e0273bc92ec3205d22b8f25f4
SHA1 0118a193d27aedb2ac2aa0afa7b91a4cde2a0f3f
SHA256 6d8ea3b0ac5899d9a92c788a481b909239a241a5206cc30afce7f68ac93d761c
SHA512 6c00d7aa37c870531bba57aff1c6b4e667bdc3f155be58af6c73439c87b8bf711c75ef6c85c5e45d45824ff44130eee50ec870a9dc31e6e3803ff90325df22a8

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-28 23:02

Reported

2022-12-28 23:04

Platform

win10v2004-20220812-en

Max time kernel

126s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09442637-42E5-482C-9CEA-1CAB76B0E126}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8307F37F-5ABA-4DF9-BB40-826AC001A692}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe

"C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ifconfig.me udp
N/A 34.160.111.145:80 ifconfig.me tcp
N/A 8.8.8.8:53 mail.tshwanemuslimschool.co.za udp
N/A 102.130.122.225:587 mail.tshwanemuslimschool.co.za tcp

Files

memory/2228-132-0x0000000000720000-0x000000000077A000-memory.dmp

memory/2228-133-0x0000000005700000-0x0000000005CA4000-memory.dmp

memory/2228-134-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/2228-135-0x0000000005640000-0x0000000005684000-memory.dmp

memory/2228-136-0x0000000006380000-0x00000000063A2000-memory.dmp

memory/3012-137-0x0000000000000000-mapping.dmp

memory/3012-138-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 5d4073b2eb6d217c19f2b22f21bf8d57
SHA1 f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256 ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA512 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 5d4073b2eb6d217c19f2b22f21bf8d57
SHA1 f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256 ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA512 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

memory/3012-141-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/3012-142-0x0000000006030000-0x00000000061F2000-memory.dmp

memory/3012-143-0x00000000065B0000-0x0000000006616000-memory.dmp

memory/3012-144-0x0000000006AE0000-0x0000000006AEA000-memory.dmp