Overview

overview

10

Static

static

10

potphbksed.exe

windows10-2004-x64

8

potphbksed.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2025, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    potphbksed.exe

  • Size

    137KB

  • MD5

    9d6c51f4f9e0132ea410b8db3c241be6

  • SHA1

    8aa67a34b626f61e6ab053f8a51e7c5142865fe4

  • SHA256

    61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31

  • SHA512

    479dd4703e0b462d7c0cfee5bdcaed97d8888f6c1fb04aad6e6d1a098b5a61701dd19a2635c64cb4cc77038445e5e498fdf8af75d728e5a58988047d3c4e2790

  • SSDEEP

    3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QLGu:KH8RuRLlzgUd6a/AslLGu

Score
8/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\potphbksed.exe
    "C:\Users\Admin\AppData\Local\Temp\potphbksed.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      2⤵
      • Uses browser remote debugging
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5172
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb431adcf8,0x7ffb431add04,0x7ffb431add10
        3⤵
          PID:3556
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2080 /prefetch:2
          3⤵
            PID:620
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1940,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2188 /prefetch:11
            3⤵
              PID:2672
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2548 /prefetch:13
              3⤵
                PID:4864
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3316 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:2036
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3336 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:4252
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4312 /prefetch:9
                3⤵
                • Uses browser remote debugging
                PID:4536
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4724 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:1040
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5344,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5352 /prefetch:14
                3⤵
                  PID:2808
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,12132123511107158388,12456453942761484640,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5420 /prefetch:14
                  3⤵
                    PID:5836
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  2⤵
                  • Uses browser remote debugging
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of FindShellTrayWindow
                  PID:1204
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ffb31fdf208,0x7ffb31fdf214,0x7ffb31fdf220
                    3⤵
                      PID:5736
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,5723555055294706980,3865433532463409048,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:11
                      3⤵
                        PID:1076
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2112,i,5723555055294706980,3865433532463409048,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:2
                        3⤵
                          PID:2148
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2508,i,5723555055294706980,3865433532463409048,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:13
                          3⤵
                            PID:1064
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,5723555055294706980,3865433532463409048,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
                            3⤵
                            • Uses browser remote debugging
                            PID:5968
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,5723555055294706980,3865433532463409048,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
                            3⤵
                            • Uses browser remote debugging
                            PID:3848
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\q1djm" & exit
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:1676
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 11
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:732
                      • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                        1⤵
                          PID:3768
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:5348
                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                            1⤵
                              PID:3980

                            Network

                            MITRE ATT&CK Enterprise v16

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                              Filesize

                              414B

                              MD5

                              68040e8620b8ecd3f780bc667aa8471b

                              SHA1

                              3c6d3a422f7eda7560ec8701e7061996ae577e0f

                              SHA256

                              d0f538a36bc8bed577922f47723e4b3ff95d1d5baaf3226d0e889b6d2af0023a

                              SHA512

                              4838e490ddb324633265260481ae761a8d7755c93dee40c3400c78a712a5330c8819074366075beb0137dd9b20acb22a74270489e0b5608898152f797e3813e8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              78KB

                              MD5

                              160510266e116979670a418ba478ba3c

                              SHA1

                              8ef3a88bbbddc833ea955ece25130dad8805fe2c

                              SHA256

                              d9e37813c4800aa30e64abd42023d0a1d58b815eaeafa2e7014087fbb97a91dd

                              SHA512

                              57f70b221d243a6c73b827145a3b47bc471661f69f3c5c9853f527c5e0ab1e7a4d4ed2ff6cce3eaf0d79b773c208b12c95317531ef05c1053187d2e69bb1b56f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              280B

                              MD5

                              978d790ea9bbd3b3113b1d32773304fa

                              SHA1

                              61c9b3724e684c2a0507d7c9ae294e668e6c6e58

                              SHA256

                              36c686a276e904607d2a18c2a2fc54467fb8dc1698607f5d5a6cefb75aa513c8

                              SHA512

                              d50740255d20d2a5e6abdc78f4fe9ef6e832f2ffe9ecc200916a73db1e0dd37d67d88996b315e128bf5b77bb110e4e8c29905aa5d90b83019be2cc8127d0dfc5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\084a61fa-fbad-499d-bdbc-0af2b87f988d\index-dir\the-real-index
                              Filesize

                              1KB

                              MD5

                              a6366995c0b5ee4316ab306a72e4c0d7

                              SHA1

                              d423d871b7f735b745698716a2343cb7a30727fd

                              SHA256

                              b2a8130ab373ca412f550ce16d6cdbd06b80eeb75ad4598cb0eed13d66c92acd

                              SHA512

                              b6059ec3a25e14c0914438ebb465439e4b3f3b859af4aa22389a9d6c29b2de15ade4959eafbe8936a06acafc74a750cf11e43c5b6dc9fd540447918973d85f2b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\084a61fa-fbad-499d-bdbc-0af2b87f988d\index-dir\the-real-index~RFe57c9c8.TMP
                              Filesize

                              1KB

                              MD5

                              798837aeb4648b49323da60eddb26b2e

                              SHA1

                              ff3ca159429741acf38d2140d7ece4a0cf51c7d4

                              SHA256

                              0b8c6ea4e7806d48d3294a028f01cbe7b450f029704e2280a795780a781e9cf8

                              SHA512

                              18d25061d3dc290141ec1f29bde855ba4e82069b78e92bb0eb7b4fad3939ba85e90a2799bb74a56c6e89f677cda244722d83f5eb2c7014d30f81793add6ac337

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              40KB

                              MD5

                              6f5082e59bff654801b3afe1c776ad16

                              SHA1

                              5e37dd7e41c89d215905aca1912df4765782e794

                              SHA256

                              16db5aad3fb4c6189a6fbb81bf3ca8fc5f18e8160ab071e1d25d99f17d0ea906

                              SHA512

                              02e65628bdb70dc00624b8e432b4e88416f080962bcf4ea259465cabac3788e75e5bc4d18c582246b24c54fc10f5aa32c3bda77ce46393e5f7815672f6bc2f71

                              Download Submit