Malware Analysis Report

2024-12-07 19:13

Sample ID 241114-ghe9tsvgpp
Target file.exe
SHA256 8aaebccc9293cc18d00a262b2ea6235d270454ab5f61b76a9270537a6e5cdc28
Tags
amadey cryptbot lumma stealc 9c9aa5 mars credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8aaebccc9293cc18d00a262b2ea6235d270454ab5f61b76a9270537a6e5cdc28

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey cryptbot lumma stealc 9c9aa5 mars credential_access discovery evasion persistence spyware stealer trojan

Stealc family

Cryptbot family

Stealc

Amadey family

Amadey

Lumma family

Lumma Stealer, LummaC

Detects CryptBot payload

Modifies Windows Defender Real-time Protection settings

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Uses browser remote debugging

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Windows security modification

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates system info in registry

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:48

Reported

2024-11-14 05:50

Platform

win7-20240903-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Detects CryptBot payload

spyware stealer
Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\814cfbf1a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006138001\\814cfbf1a2.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\3310d41370.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006140001\\3310d41370.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\f8bdb2809f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006137001\\f8bdb2809f.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\DocumentsHIDAFHDHCB.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2268 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2268 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2268 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 2672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 2672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 2672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2616 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2616 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2616 wrote to memory of 644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8289758,0x7fef8289768,0x7fef8289778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1600 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3356 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 --field-trial-handle=1388,i,8256959360603472817,3988879571031346993,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsHIDAFHDHCB.exe"

C:\Users\Admin\DocumentsHIDAFHDHCB.exe

"C:\Users\Admin\DocumentsHIDAFHDHCB.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe

"C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe"

C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe

"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"

C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe

"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"

C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe

"C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8139758,0x7fef8139768,0x7fef8139778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2376 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2400 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe

"C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1596 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2960 --field-trial-handle=1412,i,5174120627131650963,14030916111705971092,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe

"C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 964

C:\Windows\system32\taskeng.exe

taskeng.exe {3D83CF2A-629B-4FC3-9B69-8A066446D75C} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

Network

Country Destination Domain Proto
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
N/A 224.0.0.251:5353 udp
RU 185.215.113.206:80 185.215.113.206 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 home.fvteja5sb.top udp
RU 141.8.199.217:80 home.fvteja5sb.top tcp
US 8.8.8.8:53 frogmen-smell.sbs udp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 8.8.8.8:53 fvteja5sb.top udp
US 172.67.174.133:443 frogmen-smell.sbs tcp
RU 141.8.199.217:80 fvteja5sb.top tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 8.8.8.8:53 fvteja5sb.top udp
RU 141.8.199.217:80 fvteja5sb.top tcp
US 172.67.174.133:443 frogmen-smell.sbs tcp
US 8.8.8.8:53 www.google.com udp
RU 185.215.113.206:80 185.215.113.206 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 fvteja5sb.top udp
RU 141.8.199.217:80 fvteja5sb.top tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:58838 udp
N/A 127.0.0.1:9222 tcp

Files

memory/2268-0-0x0000000001170000-0x00000000017EB000-memory.dmp

memory/2268-1-0x0000000077780000-0x0000000077782000-memory.dmp

memory/2268-2-0x0000000001171000-0x0000000001188000-memory.dmp

memory/2268-3-0x0000000001170000-0x00000000017EB000-memory.dmp

memory/2268-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\??\pipe\crashpad_2616_UWLJIATPKQXWQJSW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/2268-83-0x0000000001170000-0x00000000017EB000-memory.dmp

memory/2268-85-0x0000000001170000-0x00000000017EB000-memory.dmp

memory/2268-87-0x0000000001170000-0x00000000017EB000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\Users\Admin\DocumentsHIDAFHDHCB.exe

MD5 525a62fb9aaf54388648e0e6f513b88a
SHA1 a65aa66b58a95c00fb86c8c8e0b3d35ddc92eae5
SHA256 ff5e651fdd9c0852e1ff03349ebcb37eb30038c67ee074629626ee9eb1e33719
SHA512 d0d1c32840a0e5a0b98ac49c1f1bf127f74808e16dc3f7eee93f548e97395afad3b7723a57c94201cace48567e0cb7479b7571589248a3428a091423819cb377

memory/584-130-0x00000000022A0000-0x00000000025C1000-memory.dmp

memory/2784-132-0x00000000002E0000-0x0000000000601000-memory.dmp

memory/2268-134-0x0000000001170000-0x00000000017EB000-memory.dmp

memory/592-144-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/2784-146-0x00000000002E0000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1005956001\2912f1e30b.exe

MD5 5d43fa776412e600f94c9b2d5c9a9164
SHA1 278534df49f9793ccb627b42eda9d3b361c15d3a
SHA256 1b8fffab3acd50d8cd04fdac88933947deb5199f742db3f1b0141ef202f5a64f
SHA512 50386520befc2f3ed48d24496ff92f21856e2e5d58cf071df9dc5b5ca8b256bf5e0199ce3d5e7e2109dd56d9d58dc04ebbcae615660740c777d4e37b6cfbfa45

memory/592-165-0x0000000006510000-0x00000000070B3000-memory.dmp

memory/592-163-0x0000000006510000-0x00000000070B3000-memory.dmp

memory/592-166-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/1732-167-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-168-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/592-170-0x0000000006510000-0x00000000070B3000-memory.dmp

memory/592-169-0x0000000006510000-0x00000000070B3000-memory.dmp

memory/1732-171-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-172-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/1732-173-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-174-0x0000000000900000-0x0000000000C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe

MD5 8fb77810c61e160a657298815346996e
SHA1 4268420571bb1a858bc6a9744c0742d6fd738a83
SHA256 a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512 b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2

memory/1732-187-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-188-0x0000000000900000-0x0000000000C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe

MD5 5b015748645c5df44a771f9fc6e136c3
SHA1 bf34d4e66f4210904be094e256bd42af8cb69a13
SHA256 622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909
SHA512 026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302

memory/592-205-0x0000000006510000-0x00000000069B7000-memory.dmp

memory/592-204-0x0000000006510000-0x00000000069B7000-memory.dmp

memory/2980-207-0x0000000000C30000-0x00000000010D7000-memory.dmp

memory/1732-208-0x0000000069CC0000-0x000000006A71B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 93799c2ef9bce2e3f81d0de138112288
SHA1 b226c997df4d08624989b582925fead05f045ce4
SHA256 dbcd02bc28c431686bf1b2d1cf835c345d832c5e713563a58c6dcfa000c4f997
SHA512 5e8689f10fc2a1cbfbb934a7673a4f15ac96481f3afa7cb505a70cb5c8e5dc704ad9c17db46f41b2a727b82919cac2a3ec70397989aba9637770bd570b9cce0c

memory/2980-220-0x0000000000C30000-0x00000000010D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006137001\f8bdb2809f.exe

MD5 8a2ec2ffdf8ab213de19cdb467352c6e
SHA1 f5ff6ac1308d98a26603845f139a6186f0da800b
SHA256 e201f8ddea2e43792f0cb4b4df74e6588cc4ed4ca3bba7432f2f0e9116ab9c9b
SHA512 d3e3319831b35b4018b8016b04775daf67779e15dc8f9eec9af2b491d936cff493fcdb453178e999be23b1dbaa63d697d5a8f918725e978da79efbc4c2f1de3a

memory/592-239-0x0000000006510000-0x0000000006812000-memory.dmp

memory/592-238-0x0000000006510000-0x0000000006812000-memory.dmp

memory/592-237-0x0000000006510000-0x00000000069B7000-memory.dmp

memory/1732-241-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/1256-240-0x00000000010D0000-0x00000000013D2000-memory.dmp

memory/592-242-0x0000000006510000-0x00000000069B7000-memory.dmp

memory/592-244-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/1256-245-0x00000000010D0000-0x00000000013D2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

MD5 c806c4473f82ec409d0d01281513adc3
SHA1 a2a0d2dea8fb5429c8eb339d7504936db8b7ed95
SHA256 92cd61a571d3eb9dbff4319c293faf68a9a0960bd7efac19cd413df10d0b325a
SHA512 febbaad04eaa215c13f624905fa79c93f04057432895a67e93a41343fcbd02da3424713c62b068429d75a6833981c54f1dfa2df81d9d5ec891ab40fdd5bb2895

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

MD5 e089fcf6942b9bf7a696a01ca534250b
SHA1 9eecb4f40e86cc9f9fa12af22c4c7c54bcd3758e
SHA256 81e875cf05ac722a9021a3610e9b50fa944908cf495de2b001f1815a777593aa
SHA512 95e964ffc948206a1d99dd37781373a95a61dd8b5751456c24d21a9b4f1a99493db77037b26a278abb9650c6acb2cd96c32dae3a2bfb15ee287aaadac40c5455

C:\Users\Admin\AppData\Local\Temp\1006138001\814cfbf1a2.exe

MD5 0bc6d32951c68f2823d90552521d9098
SHA1 3d807d2392d0356106d0bb96b7ed1612a9425c02
SHA256 8aaebccc9293cc18d00a262b2ea6235d270454ab5f61b76a9270537a6e5cdc28
SHA512 0c75910e99b53a28dbf71fee41b32179c844e9b620783c76b06edcf6187f05afc81c307533d51978ad6430550356e17fb5a37d9ee6cc92f64609e4a847ecd982

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

MD5 22b937965712bdbc90f3c4e5cd2a8950
SHA1 25a5df32156e12134996410c5f7d9e59b1d6c155
SHA256 cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 67ba198cd0f16eb5518caa57c40ec68a
SHA1 1fe0be091db4cd820bf6ece08c6e5b63c996518b
SHA256 9517440b2c1328bd0e49bf91fbddddcd792f427c767db983f56325d0593e0a45
SHA512 6395a51bb1436df6515b9501179fef491132262f95954e527dc64519571e22fec29fbe909114c5cd7a65cb0f7b8c9f61359bed30c7700f92c79da2f75db0934e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

MD5 1686afa47a4cecacef69ec69f8da73d0
SHA1 86d3a04efc4480c1c4d4ec7f6c2ee0c74cdbf1e4
SHA256 6718f41cfed3e78ee743a58d0e59a04ef6aa650020b5f9b8d7ee17a5d8285d80
SHA512 f8bd878c8f39d074578df8cbe1d5aff43316f1833c9a9a392a62db40ced35d61813bb3ec4312b61ac8284f033b08819bbb2e2996bc40e8409f2926ccb60838c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

MD5 17955c6a1bfe62d0dc5fef82ef990a13
SHA1 c4bc3f9ccf3fa9626c9279ecb1a4cbfbf4a0fcf5
SHA256 1cba135964cd409db09911c7cd4699112622596ff633cea868a83c54088c03a7
SHA512 5fb73bb4f7eb1c9e26f34e5d0f310783c7e629e717760ee38731a52a8e3fba6831d77abf0f37631fed820839a00c9242a582e59266de08d3c92c5c4f83c8e7a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 5cd5b548148319aa10f38fc68a6e7cea
SHA1 c251d9d7de473a78cf8cfd36bd8aebe52f21de8d
SHA256 4304d991ae6a9dff114a9e00c03b2f9290d7f47af4fe945b1dfe24480b9547da
SHA512 32c00f76fff45c24f7483fae105a7d8b3440f605a38f49e7d3160983cfdd4eb9ac7631142b98fd1a3a655e3bc55e9885e3c021a5ecf638a16cbee8d3fb7fe824

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 ba9989410d716a22402772f7579c497b
SHA1 e382fd8a875080e0bc8d207a7714f1bb80e49166
SHA256 44b5004d498de3043d1f4775bdbeecf54135c83125021a3e68fcded07299936b
SHA512 bc9b14c99089e450cae307b7439b4624265925eeee20a89bf6dc13a9e6f4a54ab242d095d0549cbffa3cd88ea622eb1ea9d6ad9154a3b75a09448aabae4c1c5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 126b5b18c4720f82d08048fce3e00c5d
SHA1 c959c653ca5625f77cddd895e24a832fa6e54650
SHA256 081f0934cb781578e1ef3aa0559894968a325204cb3070e19005f2e33ed729e3
SHA512 00e38cb57801b06f483aa0638c08e68fe1719700a5b3047554cca40858f8c873d7e0d192e95eb79ec21e3584437acdc46382435334da506eb4f6483c6c7cfab4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

MD5 78c55e45e9d1dc2e44283cf45c66728a
SHA1 88e234d9f7a513c4806845ce5c07e0016cf13352
SHA256 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512 f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 c31c316db47850aea889ff86c387412f
SHA1 a1bd8b80c2cca30d42bb1d66a9576c50fed31f6c
SHA256 ce459eacc962b25ca8acce81b442dbd208a6fb23ef79c62879f3de18d8b546aa
SHA512 818828320dc5a7fe0a01374135cf60cf22a8f30e2ae57b89b3d93a9f7ca866e69871581add3488e0ebeb1d911247fb3c44182d57d9bfccca4311f9e6b275d3d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

MD5 e556f26df3e95c19dbaeca8f5df0c341
SHA1 247a89f0557fc3666b5173833db198b188f3aa2e
SHA256 b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3
SHA512 055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

MD5 808d27b91e3e1341a47002f2b5391e7a
SHA1 4db8eb2b325f3961691d67c3dfc7a055f5ab7566
SHA256 e2ec918406d54bc12e23f4b6735b870fb72b3d440f65dc5a5b390bcab8c2716a
SHA512 2b27ddd42df50df75ba3408acd7da192301414c6986c972f383631349d6e0376cc96c80c86f41a24f62aaa599f30a4cadced3f35d6209f371df703845b5d3506

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

MD5 b6d5d86412551e2d21c97af6f00d20c3
SHA1 543302ae0c758954e222399987bb5e364be89029
SHA256 e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191
SHA512 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

MD5 50e0a00e9e3eca5dd3e80d3e6e8b8eb6
SHA1 f0afa409c7ab927938c8dedf7e57c0f355103cba
SHA256 7c820f099ace6ab1f6694f5b610412ce0cd81c64a500bc8558ae5ff9042a9c8c
SHA512 7834f7052e6d21e6aba4b5445b555103bfb9f1e04457a5aa7363918e97e0d7dfd0e08a9136c377600fd3a1c8818296b76e9eb09c7217b4e8b9229bb81689a79e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

MD5 1c0c23649f958fa25b0407c289db12da
SHA1 5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574
SHA256 d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf
SHA512 b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 9f3e8d288c03e64be28a5460c7949c52
SHA1 adab57a3ac68eda15fb0b907eb68783080cf1732
SHA256 4e1d368bb0be79af83bd37c2f8d1b85b29868a88fe7bf8e181578842978ba5ff
SHA512 2ec73b6ecf511de4c825ed9e07c260424691ca93f394d1db4f0b9f7a99e4d8dce399a372aa836664e97d6305c6b160831bac56c105b1da11a5ddf2b2c4fe514f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

MD5 fe62c64b5b3d092170445d5f5230524e
SHA1 0e27b930da78fce26933c18129430816827b66d3
SHA256 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

MD5 962a86872a0453b60b249ff4be84cf3c
SHA1 1456d80e026bc30578a5e2875ce8754ddff71445
SHA256 5d7b4abac79256e730aa4425c584848c45af51f33dba329bfb6614de10096ebe
SHA512 f5eddb216d1eab2c43a3845065e744cdb51758ecf072276089478021f5d1a610449a12c46c54689cc709556b7afbe327a4eaf0ff1a41de6180d70bfb07fa7793

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 e80211f14211ab42416dc6c105f891d9
SHA1 c454bc4bbf04b0b3c83ebb2cc58fd2af39abf183
SHA256 5093a8b65a636a5b37c58d4889d0714ecdcd84a66e5babee37928c8b33ea3e51
SHA512 7edf6411413b1fe5a2c4412df793c0fac45f0582bcf523cdce4b13f9bd524b1cab308835131312d3c58d084b9070fcc94a004b7c6bb9e4d66b2c7f413d628e95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

memory/396-335-0x00000000009D0000-0x000000000104B000-memory.dmp

memory/592-334-0x0000000006510000-0x0000000006B8B000-memory.dmp

memory/592-333-0x0000000006510000-0x0000000006B8B000-memory.dmp

memory/396-344-0x00000000009D0000-0x000000000104B000-memory.dmp

memory/592-348-0x0000000005DD0000-0x00000000060F1000-memory.dmp

memory/1732-351-0x0000000001100000-0x0000000001CA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1006140001\3310d41370.exe

MD5 34e8c7240d1aa7a1f075fcf6bbce8e03
SHA1 3ad15d539b70bc3918a224913e799e568af28702
SHA256 1aef45a52466a2ff26708fe6ad234ec25c1f3b098a1c4785e9b91420257a0912
SHA512 8fabcfcde94eae0c71507bf6d243aa963cf677762b404999f8d921ddaf460a30cd5b4e989051b17f8c2c6fca9e4fd805df29d128173c0a8f2c75b772fe02da13

memory/592-352-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/2284-364-0x0000000000D00000-0x0000000000FBC000-memory.dmp

memory/2284-365-0x0000000000D00000-0x0000000000FBC000-memory.dmp

memory/592-366-0x0000000006510000-0x0000000006B8B000-memory.dmp

memory/592-367-0x0000000005DD0000-0x00000000060F1000-memory.dmp

memory/1732-368-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-370-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/1732-378-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/1732-379-0x0000000001100000-0x0000000001CA3000-memory.dmp

memory/592-380-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/2360-381-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

memory/2360-382-0x0000000073F40000-0x0000000074074000-memory.dmp

memory/592-383-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/776-384-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

memory/592-387-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/592-390-0x0000000000900000-0x0000000000C21000-memory.dmp

memory/592-393-0x0000000000900000-0x0000000000C21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:48

Reported

2024-11-14 05:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

Country Destination Domain Proto
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/3680-0-0x0000000000320000-0x000000000099B000-memory.dmp

memory/3680-1-0x0000000077474000-0x0000000077476000-memory.dmp

memory/3680-2-0x0000000000321000-0x0000000000338000-memory.dmp

memory/3680-3-0x0000000000320000-0x000000000099B000-memory.dmp

memory/3680-5-0x0000000000320000-0x000000000099B000-memory.dmp