Analysis Overview
SHA256
a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431
Threat Level: Known bad
The file a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431 was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
Stealc
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-29 16:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 16:29
Reported
2024-04-29 16:32
Platform
win7-20240221-en
Max time kernel
68s
Max time network
145s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.3.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 560 | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 560 set thread context of 3040 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u28o.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u28o.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u28o.3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u28o.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u28o.0.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"
C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u28o.0.exe"
C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
"C:\Users\Admin\AppData\Local\Temp\u28o.3.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae9758,0x7fef6ae9768,0x7fef6ae9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1240 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4004 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 143.244.56.50:80 | download.iolo.net | tcp |
| FR | 143.244.56.50:443 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 91.215.85.66:15647 | tcp | |
| RU | 91.215.85.66:9000 | 91.215.85.66 | tcp |
Files
memory/2904-2-0x0000000002B90000-0x0000000002BFD000-memory.dmp
memory/2904-1-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2904-3-0x0000000000400000-0x0000000002B15000-memory.dmp
\Users\Admin\AppData\Local\Temp\u28o.0.exe
| MD5 | dce5dad83235fc6ed6a3be41c8a0c65a |
| SHA1 | 5322656bca0aca1f65ff6a8b9cc0a3f569ef9b73 |
| SHA256 | 1f1e0fe8ed308f9eeb39dac12c4a1b880effc6c512b4d5f8222987a9cd260308 |
| SHA512 | 6539754abe61b14abe3113304ff62eb90bf6abf38748d61c72c9b39cc23b36ee3a4fcd27f501528bb8d0bcdd505e7fbb7da30c425a4f7a267a96a106f530f190 |
memory/2200-20-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\U28O1~1.ZIP
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u28o.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
\Users\Admin\AppData\Local\Temp\u28o.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u28o.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/2976-162-0x0000000073640000-0x00000000737B4000-memory.dmp
memory/2976-163-0x00000000772C0000-0x0000000077469000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u28o.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/2904-169-0x0000000000400000-0x0000000002B15000-memory.dmp
\Users\Admin\AppData\Local\Temp\u28o.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2904-185-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2904-186-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/2200-203-0x0000000000400000-0x0000000002AF0000-memory.dmp
memory/2976-204-0x0000000073640000-0x00000000737B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\de643c9c
| MD5 | 436ec7a6805103a828addab17c831fac |
| SHA1 | 1abcacd48f21c42c5c22d8d1165e9aaac4239735 |
| SHA256 | 873fa0fcdfbac2007eedc0db75b5ec6eaa4bc3e6a8a30d70817ae879558da810 |
| SHA512 | be503919fcd673f0553ff44e822c7e4c48dac976ba2673f74fcf0bb9c5ae37f72b84140bb90595bef62dd664fe0e713653a4ac2821f4af019e5b8f4e9e56cf7c |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | b5c759e8ce47838fac72222551503672 |
| SHA1 | 7d3d8f4ed5cc0e37b8ef46fee9d26e52e84a998d |
| SHA256 | 1f5500400edb367e238abd6ef0ac322db6767df82381729d9c7801cd54fbe3c1 |
| SHA512 | 652495ca9d557611eb33b520021ba72b0d9510df4b3f0c8f6fbbbe49a4824026e13e31fc0bd513e41dfb33c49226677d0a506fbc45941f34a0bf5baa06bcb16e |
memory/2200-223-0x0000000000400000-0x0000000002AF0000-memory.dmp
memory/560-224-0x00000000772C0000-0x0000000077469000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 4ac72c324a22c1acaff3e6d1955cacc3 |
| SHA1 | df94a32f3f7dc3500e428b66afa5532f79d5479d |
| SHA256 | 0c0867f6cec29b9c435fe93ba7eb5055dec011c25800032721201883fffa412b |
| SHA512 | c19419150945b9adc65d42568c6b7873607f3a2ecf5ef676a4c7d30dce82ceb6c0e1305bb44e2da72c52d6da1efe93e12bf2a76b1e1073307b978c5f3b133438 |
memory/2092-278-0x0000000000400000-0x00000000008AD000-memory.dmp
\??\pipe\crashpad_2776_QREYEWLAGCZNKGYC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/560-338-0x0000000073640000-0x00000000737B4000-memory.dmp
memory/3040-358-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3040-357-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3040-356-0x00000000723A0000-0x0000000073402000-memory.dmp
memory/3040-376-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b03433d9d5293e5b403822c6888fcb5c |
| SHA1 | b364ba0a8909be02526fa223cf81217618547c24 |
| SHA256 | b01ff61c6e9aa1a83a304cf845419fbd94a403aebea2e480c35e3a3628ba87f7 |
| SHA512 | 92423cf455f7a1df8cde7b7d732b09df550169776500ed88d68a4af34df1b110763affe5b07c431c49bec69a4fc35a141e27aa95833261ee0a5c43454f1b5b76 |
C:\Users\Admin\AppData\Local\Temp\tmpC3CD.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
| MD5 | c1e24e4ac3ca8abe5e40e60c8a81ad8f |
| SHA1 | 27a059a9e90c373fc5e578edfc5d9aeae58c9386 |
| SHA256 | c11fc15cb79c0a13960fc31dcf1c81a88fa5bb9ec70cc61fe3e14148c55bfb66 |
| SHA512 | 9d41cea622ee4c304502c775bbef8f56b3739a0503b544510c467d6949273142e8d2e01908daf9b90c3a49f79df8335bbbb588cc9c63f7f65cb46613f37d6efd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d43267e63280fd76135070aa950c404c |
| SHA1 | 871d6befbbdc85ff30b4b4fbb88f8c843ba120ab |
| SHA256 | 49922121198b9d853a97ce3ef3fda8db6329cc4d77afc26d0ee475ad89fcd630 |
| SHA512 | 65e2397ac393b1a8c130673c3c7ddf2db3a2739e4fc5fa4da5556f0095e9ebc6ec84d79c7c954d6983e677776821c060846004431a19bbaad6f9c04c63c8a22b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 53791e3f645d18a0e11851910dd4cbfd |
| SHA1 | 1cd24462c72d7f115c161a6dc8bac1a09ecdb58c |
| SHA256 | b282e183b0a536ba42de33d166c80cd05a5ed671078fd9032e77d0fea8ef3ebf |
| SHA512 | e3842651573f2546edaa428e24c0b56aee14fedf7c2166ef90b5d48d0ded22fea947fb3f2b1575f1c757889b971512243f239cc1c46de8e679e83d55e54ab358 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 479a89ff1ab6a47e33d2c39cd0f505a3 |
| SHA1 | 451f94ee479aadaa9bc4ad84b040ef09cf73ffaf |
| SHA256 | faf030db67c5bc904339f3ecf77df457ea48ea5d6b28fdd09ed7b15390777ea8 |
| SHA512 | 074b5613400ccadebae80cd9fe36c486db43fd57f892b7694eefd919c156a83538a38df818db51ec6bb67ae53d477b7e9eb142e10a07aec7b386f1787896ec44 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f755408b-7247-4a0a-a145-2d680c9bcc14.tmp
| MD5 | cf01a68a9dcb0bd7504c086c4641a58d |
| SHA1 | 2a1acbb6680302b8cb4527aef4a50796a5c758fa |
| SHA256 | 1648fedaf35f2d789dba58ca2312a399be008574294f26424dcad5a728e36754 |
| SHA512 | e7cabd2fdcb747984926a02e6a7ce3e2590f2c4eb25bf081b83474480d4e423cbc348a3d5e1061c7c5e15a3fe4d3cb7202557a3c484a69d31f5b1e46c27d3eef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 16:29
Reported
2024-04-29 16:32
Platform
win10v2004-20240419-en
Max time kernel
70s
Max time network
65s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 696
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | tcp | |
| DE | 185.172.128.228:80 | tcp | |
| DE | 185.172.128.59:80 | tcp |
Files
memory/1216-2-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/1216-1-0x0000000002CF0000-0x0000000002DF0000-memory.dmp
memory/1216-3-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/1216-6-0x0000000002CF0000-0x0000000002DF0000-memory.dmp
memory/1216-7-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/1216-9-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/1216-11-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/1216-13-0x0000000000400000-0x0000000002B15000-memory.dmp