Analysis Overview
SHA256
67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8
Threat Level: Known bad
The file 2222-main.zip was found to be: Known bad.
Malicious Activity Summary
DCRat Payload
Echelon
DcRat
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Dcrat family
Modifies WinLogon for persistence
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
DCRat Payload
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-30 07:53
Signatures
DCRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral18
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
15s
Max time network
136s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | C:\Users\Admin\AppData\Local\Temp\1.exe |
| PID 3408 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | C:\Users\Admin\AppData\Local\Temp\1.exe |
| PID 3408 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
| PID 3408 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
| PID 3408 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1924
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.246.238:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
Files
memory/1564-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | dd3c11b27f04d8117c742743aee371fd |
| SHA1 | 1565d444ad28de48c4bf0ce25b07ef4651092621 |
| SHA256 | 0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49 |
| SHA512 | 8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | dd3c11b27f04d8117c742743aee371fd |
| SHA1 | 1565d444ad28de48c4bf0ce25b07ef4651092621 |
| SHA256 | 0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49 |
| SHA512 | 8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c |
memory/1820-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
memory/1564-118-0x000002607FCD0000-0x000002607FCD1000-memory.dmp
memory/1820-122-0x0000000000E80000-0x0000000000E81000-memory.dmp
memory/1820-124-0x0000000005790000-0x0000000005791000-memory.dmp
memory/1564-125-0x0000026001B10000-0x0000026001B81000-memory.dmp
memory/1564-126-0x000002601A3D0000-0x000002601A3D2000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
4s
Max time network
50s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe"
Network
Files
memory/1724-60-0x00000000769B1000-0x00000000769B3000-memory.dmp
memory/1724-61-0x0000000000230000-0x0000000000242000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
25s
Max time network
79s
Command Line
Signatures
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.220.248:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0536980.xsph.ru | udp |
| N/A | 141.8.193.236:80 | f0536980.xsph.ru | tcp |
Files
memory/628-114-0x0000000000150000-0x0000000000151000-memory.dmp
memory/628-116-0x000000001BDA0000-0x000000001BDA2000-memory.dmp
memory/628-117-0x000000001CDB0000-0x000000001CE21000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
13s
Max time network
153s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1904
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
Files
memory/3212-114-0x0000000000760000-0x0000000000761000-memory.dmp
memory/3212-116-0x0000000005020000-0x0000000005021000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
12s
Max time network
117s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3768 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3768 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3768 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\NanoSense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\NanoSense.dll,#1
Network
Files
memory/908-114-0x0000000000000000-mapping.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
12s
Max time network
22s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC2.dll,#1
Network
Files
memory/1808-60-0x0000000000000000-mapping.dmp
memory/1808-61-0x0000000075211000-0x0000000075213000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
6s
Max time network
43s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\fatality.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\fatality.dll,#1
Network
Files
memory/1348-59-0x0000000000000000-mapping.dmp
memory/1348-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
5s
Max time network
192s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B27D.tmp\test.bat" "C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef65c4f50,0x7fef65c4f60,0x7fef65c4f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1228 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1764 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3708 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f4da890,0x13f4da8a0,0x13f4da8b0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4132 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=104 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=956 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1084,14082523670219831099,16189753940676319583,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 8.8.8.8:53 | accounts.google.com | udp |
| N/A | 142.250.179.142:443 | clients2.google.com | tcp |
| N/A | 172.217.168.206:443 | redirector.gvt1.com | tcp |
| N/A | 172.217.20.77:443 | accounts.google.com | tcp |
| N/A | 142.250.179.142:443 | clients2.google.com | tcp |
| N/A | 8.8.8.8:53 | pki.goog | udp |
| N/A | 216.239.32.29:80 | pki.goog | tcp |
| N/A | 216.239.32.29:80 | pki.goog | tcp |
| N/A | 8.8.8.8:53 | r3---sn-5hne6nzs.gvt1.com | udp |
| N/A | 74.125.8.104:443 | r3---sn-5hne6nzs.gvt1.com | udp |
| N/A | 74.125.8.104:443 | r3---sn-5hne6nzs.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | tcp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | udp |
| N/A | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 172.217.19.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 216.58.214.3:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 142.250.179.142:443 | clients2.google.com | udp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | udp |
| N/A | 172.217.168.202:443 | udp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
Files
memory/592-59-0x0000000075A71000-0x0000000075A73000-memory.dmp
memory/316-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B27D.tmp\test.bat
| MD5 | 42ac200380fe0e83e8530221a5338973 |
| SHA1 | ce274c74a88d33f002831a3858180ea0e0dd97c8 |
| SHA256 | 20a0c6fec7dd212aad286fde1bfaf9a26805adac4d694cf1c90ce1920b75f49f |
| SHA512 | f846ad20777266854b69c6bf5f3f8c3b7db7a1ab5306bb4f6b7ba46446cf9b99e654bf1f6c244ba813d2a369432a7564ec2e87e819ed4ca8710ab986ef8bb439 |
memory/1536-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 8fa9be9f18616d95b86eb494d1c920d2 |
| SHA1 | 24dbd366f4ff6ded6368346f422182c7b9070ebd |
| SHA256 | 0f27dfa98993d9f68dfeb47aecc0ce52cd3c7dff6dfa2fd9ca0079e675a3c699 |
| SHA512 | ed04d21b22b8b8fb8f85d33bc6af58ca387dc75a7f8ab6147d9d39a0657990cc829fa00aefdba76a9b987ef3f0a4b49c3524f2fac993cf5f3cac326aa641e2f5 |
memory/604-64-0x0000000000000000-mapping.dmp
memory/1696-67-0x0000000000000000-mapping.dmp
memory/1764-68-0x0000000000000000-mapping.dmp
\??\pipe\crashpad_1536_XKMKHKMILOCCBSFP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1696-69-0x0000000077020000-0x0000000077021000-memory.dmp
memory/856-72-0x0000000000000000-mapping.dmp
memory/1936-75-0x0000000000000000-mapping.dmp
memory/960-77-0x0000000000000000-mapping.dmp
memory/892-81-0x0000000000000000-mapping.dmp
memory/368-83-0x0000000000000000-mapping.dmp
memory/552-87-0x0000000000000000-mapping.dmp
memory/1160-89-0x0000000000000000-mapping.dmp
memory/1536-92-0x00000000045C0000-0x00000000045C1000-memory.dmp
memory/2336-94-0x0000000000000000-mapping.dmp
memory/2412-97-0x0000000000000000-mapping.dmp
memory/2500-99-0x0000000000000000-mapping.dmp
memory/2516-100-0x0000000000000000-mapping.dmp
memory/2500-101-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp
memory/2576-103-0x0000000000000000-mapping.dmp
memory/2656-106-0x0000000000000000-mapping.dmp
memory/2720-109-0x0000000000000000-mapping.dmp
memory/2772-112-0x0000000000000000-mapping.dmp
memory/2820-115-0x0000000000000000-mapping.dmp
memory/2868-118-0x0000000000000000-mapping.dmp
memory/2920-121-0x0000000000000000-mapping.dmp
memory/2968-124-0x0000000000000000-mapping.dmp
memory/3016-126-0x0000000000000000-mapping.dmp
memory/1860-130-0x0000000000000000-mapping.dmp
memory/3056-128-0x0000000000000000-mapping.dmp
memory/1836-133-0x0000000000000000-mapping.dmp
memory/2188-136-0x0000000000000000-mapping.dmp
memory/676-139-0x0000000000000000-mapping.dmp
memory/2284-143-0x0000000000000000-mapping.dmp
memory/2232-145-0x0000000000000000-mapping.dmp
memory/2060-147-0x0000000000000000-mapping.dmp
memory/2608-151-0x0000000000000000-mapping.dmp
memory/2652-155-0x0000000000000000-mapping.dmp
memory/2516-157-0x0000000000000000-mapping.dmp
memory/2764-163-0x0000000000000000-mapping.dmp
memory/2816-167-0x0000000000000000-mapping.dmp
memory/2728-160-0x0000000000000000-mapping.dmp
memory/1232-172-0x0000000000000000-mapping.dmp
memory/2668-170-0x0000000000000000-mapping.dmp
memory/1608-175-0x0000000000000000-mapping.dmp
memory/2348-184-0x0000000000000000-mapping.dmp
memory/2788-190-0x0000000000000000-mapping.dmp
memory/2304-188-0x0000000000000000-mapping.dmp
memory/2628-182-0x0000000000000000-mapping.dmp
memory/2552-179-0x0000000000000000-mapping.dmp
memory/2984-194-0x0000000000000000-mapping.dmp
memory/2856-196-0x0000000000000000-mapping.dmp
memory/1144-198-0x0000000000000000-mapping.dmp
memory/2472-201-0x0000000000000000-mapping.dmp
memory/1584-206-0x0000000000000000-mapping.dmp
memory/2436-213-0x0000000000000000-mapping.dmp
memory/2724-216-0x0000000000000000-mapping.dmp
memory/3012-219-0x0000000000000000-mapping.dmp
memory/2680-210-0x0000000000000000-mapping.dmp
memory/2020-204-0x0000000000000000-mapping.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
25s
Max time network
119s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.220.248:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
Files
memory/3716-114-0x000001C6F09F0000-0x000001C6F09F1000-memory.dmp
memory/3716-116-0x000001C6F30B0000-0x000001C6F30B2000-memory.dmp
memory/3716-117-0x000001C6F27A0000-0x000001C6F2811000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
120s
Max time network
174s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1248
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.220.248:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.138.232:443 | discord.com | tcp |
Files
memory/1028-59-0x0000000075591000-0x0000000075593000-memory.dmp
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | dd3c11b27f04d8117c742743aee371fd |
| SHA1 | 1565d444ad28de48c4bf0ce25b07ef4651092621 |
| SHA256 | 0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49 |
| SHA512 | 8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c |
memory/1936-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | dd3c11b27f04d8117c742743aee371fd |
| SHA1 | 1565d444ad28de48c4bf0ce25b07ef4651092621 |
| SHA256 | 0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49 |
| SHA512 | 8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | dd3c11b27f04d8117c742743aee371fd |
| SHA1 | 1565d444ad28de48c4bf0ce25b07ef4651092621 |
| SHA256 | 0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49 |
| SHA512 | 8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
memory/1744-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
memory/1936-68-0x0000000000070000-0x0000000000071000-memory.dmp
memory/1744-70-0x0000000001260000-0x0000000001261000-memory.dmp
memory/1936-73-0x000000001B030000-0x000000001B0A1000-memory.dmp
memory/1936-75-0x000000001AEB0000-0x000000001AEB2000-memory.dmp
memory/1744-74-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1792-76-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | 3947b2cc3f68a712d431b5c2a2c2ee4d |
| SHA1 | db0443ba8a6d5839e93bf59f3eed0e69c545df3b |
| SHA256 | abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262 |
| SHA512 | f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991 |
memory/1792-82-0x0000000001D70000-0x0000000001D71000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
11s
Max time network
58s
Command Line
Signatures
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\sheyhST.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.239.65:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0536980.xsph.ru | udp |
| N/A | 141.8.193.236:80 | f0536980.xsph.ru | tcp |
Files
memory/2032-60-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2032-62-0x000000001B450000-0x000000001B4C1000-memory.dmp
memory/2032-63-0x000000001B500000-0x000000001B502000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
14s
Max time network
40s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.190.106:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
Files
memory/2024-60-0x0000000001100000-0x0000000001101000-memory.dmp
memory/2024-62-0x0000000000C30000-0x0000000000CA1000-memory.dmp
memory/2024-63-0x000000001AE40000-0x000000001AE42000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
63s
Max time network
141s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4020 created 4684 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4432 wrote to memory of 4684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4432 wrote to memory of 4684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4432 wrote to memory of 4684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\pandora.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\pandora.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1424
Network
Files
memory/4684-114-0x0000000000000000-mapping.dmp
memory/4684-115-0x0000000004930000-0x0000000005112000-memory.dmp
memory/4684-116-0x00000000012D0000-0x00000000012D1000-memory.dmp
memory/4684-117-0x00000000012B0000-0x00000000012B1000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
21s
Max time network
84s
Command Line
Signatures
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.173.155:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.138.232:443 | discord.com | tcp |
Files
memory/656-114-0x0000028F4DCB0000-0x0000028F4DCB1000-memory.dmp
memory/656-116-0x0000028F4F9E0000-0x0000028F4FA51000-memory.dmp
memory/656-117-0x0000028F4E0A0000-0x0000028F4E0A2000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
115s
Max time network
51s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\token.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1252
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
Files
memory/1672-60-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/1672-62-0x00000000768B1000-0x00000000768B3000-memory.dmp
memory/1672-63-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/656-64-0x0000000000000000-mapping.dmp
memory/656-65-0x00000000004D0000-0x00000000004D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
63s
Max time network
100s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\", \"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\", \"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\dimsjob\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
DCRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| N/A | N/A | C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\dimsjob\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\dimsjob\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\iscsilog\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\iscsilog\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\iscsilog\conhost.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\iscsilog\088424020bedd6b28ac7fd22ee35dcd7322895ce | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\dimsjob\lsass.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\dimsjob\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\24dbde2999530ef5fd907494bc374d663924116c | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| N/A | N/A | C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
"C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\iscsilog\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\lsass.exe'" /rl HIGHEST /f
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
"C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.146.156.144:80 | tcp | |
| N/A | 185.146.156.144:80 | tcp |
Files
memory/1632-60-0x00000000766D1000-0x00000000766D3000-memory.dmp
memory/1280-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
| MD5 | 559cdf34199c7353804d3d3550ccc3a3 |
| SHA1 | 43da9eae85816d75b10f537452a9b5c2ef9ae1f6 |
| SHA256 | c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108 |
| SHA512 | a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c |
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
| MD5 | d5f5523af702e22a702e95fadf058335 |
| SHA1 | e495f695eed69a9af60dd6303b20ce0df82cadbb |
| SHA256 | 5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3 |
| SHA512 | f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6 |
memory/268-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/1040-69-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/1040-71-0x0000000000960000-0x0000000000961000-memory.dmp
memory/1040-73-0x000000001B0F0000-0x000000001B0F2000-memory.dmp
memory/572-74-0x0000000000000000-mapping.dmp
memory/1932-75-0x0000000000000000-mapping.dmp
memory/820-76-0x0000000000000000-mapping.dmp
memory/1388-77-0x0000000000000000-mapping.dmp
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/824-78-0x0000000000000000-mapping.dmp
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/824-81-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/824-83-0x000000001B040000-0x000000001B042000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
137s
Max time network
141s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 784 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\aurora.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\aurora.dll,#1
Network
Files
memory/1608-60-0x0000000000000000-mapping.dmp
memory/1608-61-0x0000000075AA1000-0x0000000075AA3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
13s
Max time network
18s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\gan.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.190.106:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.138.232:443 | discord.com | tcp |
Files
memory/1816-60-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/1816-62-0x000000001AB70000-0x000000001ABE1000-memory.dmp
memory/1816-63-0x000000001AF00000-0x000000001AF02000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
19s
Max time network
130s
Command Line
Signatures
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.239.65:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0485066.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0485066.xsph.ru | tcp |
Files
memory/808-114-0x0000000000490000-0x0000000000491000-memory.dmp
memory/808-116-0x000000001C080000-0x000000001C0F1000-memory.dmp
memory/808-117-0x000000001C1E0000-0x000000001C1E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
69s
Max time network
138s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Boot\\zh-CN\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Boot\\zh-CN\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\takeown\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Boot\\zh-CN\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\takeown\\dllhost.exe\", \"C:\\Windows\\System32\\microsoft-windows-kernel-power-events\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
DCRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| N/A | N/A | C:\Boot\zh-CN\RuntimeBroker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\takeown\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\microsoft-windows-kernel-power-events\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Boot\\zh-CN\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Boot\\zh-CN\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\takeown\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\microsoft-windows-kernel-power-events\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\microsoft-windows-kernel-power-events\SppExtComObj.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\microsoft-windows-kernel-power-events\e1ef82546f0b02b7e974f28047f3788b1128cce1 | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\takeown\dllhost.exe | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| File created | C:\Windows\System32\takeown\5940a34987c99120d96dace90a3f93f329dcad63 | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Boot\zh-CN\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
"C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Boot\zh-CN\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\takeown\dllhost.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\microsoft-windows-kernel-power-events\SppExtComObj.exe'" /rl HIGHEST /f
C:\Boot\zh-CN\RuntimeBroker.exe
"C:\Boot\zh-CN\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.146.156.144:80 | tcp | |
| N/A | 185.146.156.144:80 | tcp |
Files
memory/2216-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
| MD5 | 559cdf34199c7353804d3d3550ccc3a3 |
| SHA1 | 43da9eae85816d75b10f537452a9b5c2ef9ae1f6 |
| SHA256 | c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108 |
| SHA512 | a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c |
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
| MD5 | d5f5523af702e22a702e95fadf058335 |
| SHA1 | e495f695eed69a9af60dd6303b20ce0df82cadbb |
| SHA256 | 5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3 |
| SHA512 | f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6 |
memory/2176-119-0x0000000000000000-mapping.dmp
memory/1316-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/1316-123-0x0000000000D10000-0x0000000000D11000-memory.dmp
memory/1316-125-0x0000000003090000-0x0000000003092000-memory.dmp
memory/1440-126-0x0000000000000000-mapping.dmp
memory/516-127-0x0000000000000000-mapping.dmp
memory/3992-128-0x0000000000000000-mapping.dmp
memory/3128-129-0x0000000000000000-mapping.dmp
memory/3208-130-0x0000000000000000-mapping.dmp
memory/4076-131-0x0000000000000000-mapping.dmp
C:\Boot\zh-CN\RuntimeBroker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
C:\Boot\zh-CN\RuntimeBroker.exe
| MD5 | 413be497be904c09aa8bfe8f0182a949 |
| SHA1 | 9c5a69c83dbe2629290823d33c0afbce6d37f7bf |
| SHA256 | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21 |
| SHA512 | 01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee |
memory/4076-136-0x000000001BF02000-0x000000001BF03000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
5s
Max time network
21s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\petya.exe"
Network
Files
memory/3892-114-0x0000000000590000-0x00000000005A2000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
13s
Max time network
24s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1020 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC.dll,#1
Network
Files
memory/2032-60-0x0000000000000000-mapping.dmp
memory/2032-61-0x0000000075451000-0x0000000075453000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
13s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3980 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3980 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3980 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC.dll,#1
Network
Files
memory/1688-114-0x0000000000000000-mapping.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
17s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 1012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\fatality.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\fatality.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 684
Network
Files
memory/1012-114-0x0000000000000000-mapping.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.246.238:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0485066.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0485066.xsph.ru | tcp |
Files
memory/1676-60-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/1676-62-0x0000000002670000-0x00000000026E1000-memory.dmp
memory/1676-63-0x0000000002700000-0x0000000002702000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210410
Max time kernel
6s
Max time network
43s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\NanoSense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\NanoSense.dll,#1
Network
Files
memory/2032-60-0x0000000000000000-mapping.dmp
memory/2032-61-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
120s
Max time network
50s
Command Line
Signatures
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\98899.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe"
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
"C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"
C:\Users\Admin\AppData\Local\Temp\98899.exe
"C:\Users\Admin\AppData\Local\Temp\98899.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1256
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.246.238:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
| N/A | 8.8.8.8:53 | f0485066.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0485066.xsph.ru | tcp |
Files
memory/1976-60-0x0000000075041000-0x0000000075043000-memory.dmp
memory/1752-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
| MD5 | c10aa673e83a05634292512446b5896d |
| SHA1 | 8ac8a1820c0f907412b8159476348ed690cfbaee |
| SHA256 | 6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e |
| SHA512 | 2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67 |
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
| MD5 | c10aa673e83a05634292512446b5896d |
| SHA1 | 8ac8a1820c0f907412b8159476348ed690cfbaee |
| SHA256 | 6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e |
| SHA512 | 2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67 |
memory/1752-67-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/1700-66-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
| MD5 | c10aa673e83a05634292512446b5896d |
| SHA1 | 8ac8a1820c0f907412b8159476348ed690cfbaee |
| SHA256 | 6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e |
| SHA512 | 2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67 |
C:\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
C:\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
memory/1752-71-0x000000001B5E0000-0x000000001B651000-memory.dmp
memory/1700-72-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/1752-74-0x000000001BB60000-0x000000001BB62000-memory.dmp
memory/1700-76-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/876-77-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
memory/876-83-0x0000000000320000-0x0000000000321000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
20s
Max time network
127s
Command Line
Signatures
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\98899.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\98899.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe |
| PID 3368 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe |
| PID 3368 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | C:\Users\Admin\AppData\Local\Temp\98899.exe |
| PID 3368 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | C:\Users\Admin\AppData\Local\Temp\98899.exe |
| PID 3368 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe | C:\Users\Admin\AppData\Local\Temp\98899.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\pass.exe"
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
"C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"
C:\Users\Admin\AppData\Local\Temp\98899.exe
"C:\Users\Admin\AppData\Local\Temp\98899.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1924
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 54.39.106.25:443 | wtfismyip.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.246.238:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | f0485066.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0485066.xsph.ru | tcp |
Files
memory/1608-115-0x0000000000000000-mapping.dmp
memory/1868-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
| MD5 | c10aa673e83a05634292512446b5896d |
| SHA1 | 8ac8a1820c0f907412b8159476348ed690cfbaee |
| SHA256 | 6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e |
| SHA512 | 2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67 |
C:\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
C:\Users\Admin\AppData\Local\Temp\98899.exe
| MD5 | ac0a9390d50cbc5133523482b31e0735 |
| SHA1 | 4d29f350e46df5672f87095033cdfe3710c58b42 |
| SHA256 | 710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c |
| SHA512 | a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64 |
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
| MD5 | c10aa673e83a05634292512446b5896d |
| SHA1 | 8ac8a1820c0f907412b8159476348ed690cfbaee |
| SHA256 | 6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e |
| SHA512 | 2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67 |
memory/1608-121-0x0000000000E60000-0x0000000000E61000-memory.dmp
memory/1868-120-0x0000000000610000-0x0000000000611000-memory.dmp
memory/1868-124-0x0000000003140000-0x00000000031B1000-memory.dmp
memory/1608-125-0x0000000005730000-0x0000000005731000-memory.dmp
memory/1868-126-0x000000001C370000-0x000000001C372000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210408
Max time kernel
145s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\814B.tmp\test.bat" "C:\Users\Admin\AppData\Local\Temp\2222-main\test.exe""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff885794f50,0x7ff885794f60,0x7ff885794f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1824 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6476 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6444 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff622d0a890,0x7ff622d0a8a0,0x7ff622d0a8b0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6356 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6396 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6392 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6416 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6648 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6908 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6364 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6400 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7044 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7068 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7092 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7116 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7040 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5792 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6836 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6996 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6884 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,15166152720052553339,1157170737670009850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 8.8.8.8:53 | accounts.google.com | udp |
| N/A | 142.250.179.142:443 | clients2.google.com | tcp |
| N/A | 172.217.20.77:443 | accounts.google.com | tcp |
| N/A | 8.8.8.8:53 | pki.goog | udp |
| N/A | 216.239.32.29:80 | pki.goog | tcp |
| N/A | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | tcp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | udp |
| N/A | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 172.217.19.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 142.250.179.142:443 | clients2.google.com | udp |
| N/A | 142.250.179.193:443 | clients2.googleusercontent.com | udp |
| N/A | 172.217.19.202:443 | udp | |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 216.58.214.3:443 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| N/A | 216.58.214.3:443 | udp | |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 142.251.36.42:443 | tcp |
Files
memory/2640-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\814B.tmp\test.bat
| MD5 | 42ac200380fe0e83e8530221a5338973 |
| SHA1 | ce274c74a88d33f002831a3858180ea0e0dd97c8 |
| SHA256 | 20a0c6fec7dd212aad286fde1bfaf9a26805adac4d694cf1c90ce1920b75f49f |
| SHA512 | f846ad20777266854b69c6bf5f3f8c3b7db7a1ab5306bb4f6b7ba46446cf9b99e654bf1f6c244ba813d2a369432a7564ec2e87e819ed4ca8710ab986ef8bb439 |
memory/2876-116-0x0000000000000000-mapping.dmp
memory/3000-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 34ac213c5d072467016d676b79783c81 |
| SHA1 | a08224d365ab79c0bb3189b08565c8a72139a1bb |
| SHA256 | 6788ff076b0b0fca15541f0f6b90c135d5f51b36db9d5117f5da7be78e372a44 |
| SHA512 | 7aef8888fc779c355ed09292c373f240efbac10f19d74fdd34ed2444009adf7d75f209610a07d7bb3e5ebc06cc96ef8c2d93c4238f0f0116452f4779fd463917 |
memory/1196-124-0x0000000000000000-mapping.dmp
memory/496-125-0x0000000000000000-mapping.dmp
memory/1196-130-0x00007FF8A11F0000-0x00007FF8A11F1000-memory.dmp
memory/3908-129-0x0000000000000000-mapping.dmp
\??\pipe\crashpad_2876_VLJEEWMBPGSURLOO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1632-140-0x0000000000000000-mapping.dmp
memory/1000-144-0x0000000000000000-mapping.dmp
memory/2204-150-0x0000000000000000-mapping.dmp
memory/680-156-0x0000000000000000-mapping.dmp
memory/1784-162-0x0000000000000000-mapping.dmp
memory/2248-168-0x0000000000000000-mapping.dmp
memory/4424-181-0x0000000000000000-mapping.dmp
memory/4652-186-0x0000000000000000-mapping.dmp
memory/4772-190-0x0000000000000000-mapping.dmp
memory/4824-195-0x0000000000000000-mapping.dmp
memory/4876-200-0x0000000000000000-mapping.dmp
memory/4928-205-0x0000000000000000-mapping.dmp
memory/4980-210-0x0000000000000000-mapping.dmp
memory/5032-215-0x0000000000000000-mapping.dmp
memory/5084-220-0x0000000000000000-mapping.dmp
memory/4064-225-0x0000000000000000-mapping.dmp
memory/4288-230-0x0000000000000000-mapping.dmp
memory/4460-234-0x0000000000000000-mapping.dmp
memory/4500-237-0x0000000000000000-mapping.dmp
memory/1232-240-0x0000000000000000-mapping.dmp
memory/4660-247-0x0000000000000000-mapping.dmp
memory/1224-243-0x0000000000000000-mapping.dmp
\??\pipe\crashpad_4460_WDMSVRTJSYGCQQFB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4488-256-0x0000000000000000-mapping.dmp
memory/4820-262-0x0000000000000000-mapping.dmp
memory/4824-268-0x0000000000000000-mapping.dmp
memory/4688-252-0x0000000000000000-mapping.dmp
memory/4952-272-0x0000000000000000-mapping.dmp
memory/4928-279-0x0000000000000000-mapping.dmp
memory/5040-283-0x0000000000000000-mapping.dmp
memory/4748-290-0x0000000000000000-mapping.dmp
memory/4448-293-0x0000000000000000-mapping.dmp
memory/4088-298-0x0000000000000000-mapping.dmp
memory/4540-302-0x0000000000000000-mapping.dmp
memory/4668-308-0x0000000000000000-mapping.dmp
memory/2856-313-0x0000000000000000-mapping.dmp
memory/4896-318-0x0000000000000000-mapping.dmp
memory/4980-323-0x0000000000000000-mapping.dmp
memory/4920-328-0x0000000000000000-mapping.dmp
memory/4112-335-0x0000000000000000-mapping.dmp
memory/1224-338-0x0000000000000000-mapping.dmp
memory/4212-342-0x0000000000000000-mapping.dmp
memory/2176-348-0x0000000000000000-mapping.dmp
memory/1548-353-0x0000000000000000-mapping.dmp
memory/4932-358-0x0000000000000000-mapping.dmp
memory/2020-363-0x0000000000000000-mapping.dmp
memory/4752-368-0x0000000000000000-mapping.dmp
memory/4740-372-0x0000000000000000-mapping.dmp
memory/5104-380-0x0000000000000000-mapping.dmp
memory/4488-387-0x0000000000000000-mapping.dmp
memory/5052-394-0x0000000000000000-mapping.dmp
memory/3828-400-0x0000000000000000-mapping.dmp
memory/3396-404-0x0000000000000000-mapping.dmp
memory/4648-408-0x0000000000000000-mapping.dmp
memory/4088-412-0x0000000000000000-mapping.dmp
memory/4764-417-0x0000000000000000-mapping.dmp
memory/5088-421-0x0000000000000000-mapping.dmp
memory/4836-427-0x0000000000000000-mapping.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
12s
Max time network
129s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3872 wrote to memory of 4072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3872 wrote to memory of 4072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3872 wrote to memory of 4072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\OTC2.dll,#1
Network
Files
memory/4072-114-0x0000000000000000-mapping.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win10v20210410
Max time kernel
13s
Max time network
117s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\aurora.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\aurora.dll,#1
Network
Files
memory/3760-114-0x0000000000000000-mapping.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2021-07-30 07:53
Reported
2021-07-30 07:56
Platform
win7v20210408
Max time kernel
5s
Max time network
40s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1052 wrote to memory of 828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\pandora.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2222-main\pandora.dll,#1
Network
Files
memory/828-61-0x0000000074D91000-0x0000000074D93000-memory.dmp
memory/828-60-0x0000000000000000-mapping.dmp