Malware Analysis Report

2024-11-30 22:06

Sample ID 240704-dmyp7atblh
Target 9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d
SHA256 9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d
Tags
amadey stealc 4dd39d jony discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d

Threat Level: Known bad

The file 9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d jony discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 03:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 03:08

Reported

2024-07-04 03:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645361156653837" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 4600 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 4600 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 1952 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1952 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1952 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4984 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe
PID 4984 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe
PID 4984 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe
PID 1968 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1968 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4016 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4016 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4364 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3140 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe

"C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDAAECAEB.exe"

C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe

"C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff3a6ab58,0x7ffff3a6ab68,0x7ffff3a6ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=844 --field-trial-handle=1944,i,12627549284993847933,946160797597406990,131072 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.4:80 85.28.47.4 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 4.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 163.49.178.192.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp

Files

memory/3760-0-0x0000000000CB0000-0x0000000001897000-memory.dmp

memory/3760-1-0x000000007ED50000-0x000000007F121000-memory.dmp

memory/3760-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3760-76-0x0000000000CB0000-0x0000000001897000-memory.dmp

memory/3760-77-0x000000007ED50000-0x000000007F121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe

MD5 2ac3e8f24180b56fe14ea9dc6b4af66b
SHA1 dc6cdaa3e97935af94155e592b08c4300690a0a6
SHA256 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4
SHA512 79e17520bce4698bc134cbeafe20fac0b9c4439381c573ae1402e39c702a3f6150f05febfdefe978fb6055993e744d2061f6fbffec170c856d31610ac71a0635

memory/1952-81-0x00000000007F0000-0x0000000000CBD000-memory.dmp

memory/4984-95-0x0000000000150000-0x000000000061D000-memory.dmp

memory/1952-94-0x00000000007F0000-0x0000000000CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000007001\a01b6edcfd.exe

MD5 1b4355374193536eb30ae594e235dcc3
SHA1 cabe5f6b6d5cb35548b224c70f89cd4176e2fe25
SHA256 8620e0983a4ae6d7272c07285847068b6ddaa520fadca5061268bcfd30931597
SHA512 f93a080f75f429065982413418365178c760a0cb0c9bf79441d38d767366f5d1d81bc9581ee448eead38d4e9b37ecc442893ee5eaccdc59f03c297da3e8dd3cc

\??\pipe\crashpad_3140_UOYCRVEQWKOQBBKY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4984-164-0x0000000000150000-0x000000000061D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0ac60a82b7e7aa014eb1852c2c4dd3fd
SHA1 4e372df81c566b89e28512e508ef4a9de646bf11
SHA256 99ee8493db6edc6fb0c57922a1d46fb5e1597ce5b8b414238b28b9ff3bf359db
SHA512 12cc56c8c941f9d820d8872847b78e68a80282832a2a6cc39ce0e4fa22d6005735d74b0f49eb678596ff27370a691b490ebeaa5dca4e17ad51c71e50bd588a5d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b853994a543f2a0e11048b1475dff981
SHA1 d1111b6bd05451aa321147ffd55475a37c70b537
SHA256 70692c713fabd106c01ae5dd526841df9829f05916fa1e08374b80f2c349a688
SHA512 d8cf90006d8d6c4eabeabefad934f324192367780ba6b61067e413db7cfe3137d98f1dd401edf5e848f0ae292fab858e1c0a0402774acaa2dc60702d82d909f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b7afa980bba249c000fed0fff51463d1
SHA1 905e0f0cc0c6aa83fc76513807d91c3dd356c728
SHA256 3f0cb5aeaf9a428ebd425c3a4aa51734c1cb191fa3699441cea9adcba5283205
SHA512 325c7a4c21f024deb8aff9c3f8814d04b72309b84fe6e5add7805d6156ea91d64883cc88f4a3ef3c6d45be809dfbcc2d463385d4786dc8b116f2bf308d608b29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 bec55d3f76f3e0ea4544f8223b028395
SHA1 49458cc70cb45f48315f1dfab9878fdf2fadf8f4
SHA256 08fb9db12bbced59552f48d58627c23183ac26d66c0dcf5c7748250c5dc176e7
SHA512 a38784272fb46da9dc01f064ef9c3d5322989d5ee2a8350c97b3183dd2281773d7a90698882c40d64634a17c48a0b3bcc3b26ee5dbef90bc89b6797878bb8543

memory/4984-189-0x0000000000150000-0x000000000061D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 07650512a134e45c65b0181ed5bc2d57
SHA1 a55bfbedac14681245b2c7bf11903e90fea955d4
SHA256 c3f8a46b44ffd93753063201918f7e6e7ef9d03b5baa50b0f4e353fb21c05ff8
SHA512 c7c248c979a37cb84ce7879f591e6246630769e1f590dc5b89e5a9905c90ddfc62aeb6c107826bcbb7145327f40c6f5dc615bffa7f413ef95e355f0fe910265e

memory/4984-195-0x0000000000150000-0x000000000061D000-memory.dmp

memory/416-197-0x0000000000150000-0x000000000061D000-memory.dmp

memory/416-198-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-199-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-209-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-210-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-212-0x0000000000150000-0x000000000061D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 454adf9b117e53723c8d59096cfc9bf5
SHA1 56a38b6837b36389dae29fdb4c2daf74c599f02a
SHA256 ebc8d7b64a0bbd898b0fe6bb78b5d95f9286419221dda4017a747ecd3324e95d
SHA512 3ce74f9ad77d69dcb217dc2bfd7fd1adae70b27a81bb1b43ba1c283438271c113236d45c717ba6000429298fc600ce81a361df35edce17815793c890c9a4af37

memory/4984-227-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-228-0x0000000000150000-0x000000000061D000-memory.dmp

memory/1632-230-0x0000000000150000-0x000000000061D000-memory.dmp

memory/1632-231-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-232-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-233-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-234-0x0000000000150000-0x000000000061D000-memory.dmp

memory/4984-240-0x0000000000150000-0x000000000061D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 03:08

Reported

2024-07-04 03:10

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe"

Signatures

Stealc

stealer stealc

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe

"C:\Users\Admin\AppData\Local\Temp\9023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1464

Network

Country Destination Domain Proto
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp

Files

memory/1412-0-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-1-0x000000007F0E0000-0x000000007F4B1000-memory.dmp

memory/1412-2-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-3-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-4-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-5-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-6-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-7-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-8-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-9-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-10-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-11-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-12-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-13-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-14-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-15-0x0000000000E80000-0x0000000001A67000-memory.dmp

memory/1412-16-0x0000000000E80000-0x0000000001A67000-memory.dmp