Malware Analysis Report

2024-07-11 07:38

Sample ID 240114-rvmvjsceb9
Target 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c
SHA256 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c

Threat Level: Known bad

The file 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Unexpected DNS network traffic destination

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-14 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-14 14:30

Reported

2024-01-14 14:33

Platform

win7-20231129-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004400440043003800340033003200310041003800300037003900420042000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2692 wrote to memory of 3064 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"

C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\system32\dllhost.exe 209 2692

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.chatgpt-server.com udp
N/A 10.127.255.255:3128 udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp

Files

memory/2364-2-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2364-1-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2364-0-0x0000000000360000-0x0000000000460000-memory.dmp

memory/2660-19-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2692-28-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-40-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2692-46-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-44-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-43-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-42-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-41-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2364-31-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2692-29-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2660-27-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2692-26-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/2692-25-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2692-23-0x00000000000A0000-0x00000000000C0000-memory.dmp

memory/2692-20-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3064-56-0x0000000000200000-0x0000000000235000-memory.dmp

memory/3064-62-0x0000000000200000-0x0000000000235000-memory.dmp

memory/3064-61-0x0000000000200000-0x0000000000235000-memory.dmp

memory/3064-60-0x0000000000200000-0x0000000000235000-memory.dmp

memory/3064-59-0x0000000000200000-0x0000000000235000-memory.dmp

memory/3064-58-0x0000000000070000-0x0000000000071000-memory.dmp

memory/3064-57-0x0000000000200000-0x0000000000235000-memory.dmp

memory/2692-63-0x00000000001F0000-0x0000000000225000-memory.dmp

memory/3064-64-0x0000000000200000-0x0000000000235000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-14 14:30

Reported

2024-01-14 14:33

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A
Destination IP 35.77.99.82 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003300460033003000330036003200420041004100370033004300440035000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 8 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe C:\Windows\SysWOW64\svchost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"

C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe

"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\system32\dllhost.exe 209 772

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
N/A 10.127.255.255:3128 udp
US 8.8.8.8:53 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
US 8.8.8.8:53 82.99.77.35.in-addr.arpa udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
JP 35.77.99.82:53 update.chatgpt-server.com udp
JP 35.77.99.82:80 update.chatgpt-server.com udp
JP 35.77.99.82:443 update.chatgpt-server.com udp
JP 35.77.99.82:8080 update.chatgpt-server.com udp
JP 35.77.99.82:53 update.chatgpt-server.com udp

Files

memory/3244-0-0x0000000002940000-0x0000000002A40000-memory.dmp

memory/3244-1-0x00000000028E0000-0x0000000002915000-memory.dmp

memory/3244-2-0x00000000028E0000-0x0000000002915000-memory.dmp

memory/8-18-0x0000000000F40000-0x0000000000F75000-memory.dmp

memory/8-19-0x0000000000F40000-0x0000000000F75000-memory.dmp

memory/772-21-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/772-20-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/772-23-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/3244-26-0x00000000028E0000-0x0000000002915000-memory.dmp

memory/8-22-0x0000000000F40000-0x0000000000F75000-memory.dmp

memory/772-34-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/772-35-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/772-36-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/772-37-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/772-38-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/772-40-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/2660-45-0x0000000001340000-0x0000000001375000-memory.dmp

memory/2660-44-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/2660-46-0x0000000001340000-0x0000000001375000-memory.dmp

memory/2660-47-0x0000000001340000-0x0000000001375000-memory.dmp

memory/2660-48-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/2660-49-0x0000000001340000-0x0000000001375000-memory.dmp

memory/2660-50-0x0000000001340000-0x0000000001375000-memory.dmp

memory/2660-51-0x0000000001340000-0x0000000001375000-memory.dmp

memory/772-52-0x0000000000F80000-0x0000000000FB5000-memory.dmp

memory/2660-53-0x0000000001340000-0x0000000001375000-memory.dmp