Malware Analysis Report

2024-11-13 19:17

Sample ID 240429-tzjd2afe5z
Target a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431
SHA256 a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431
Tags
sectoprat stealc discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431

Threat Level: Known bad

The file a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431 was found to be: Known bad.

Malicious Activity Summary

sectoprat stealc discovery rat spyware stealer trojan

SectopRAT payload

SectopRAT

Stealc

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 16:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 16:29

Reported

2024-04-29 16:32

Platform

win7-20240221-en

Max time kernel

68s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2976 set thread context of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 560 set thread context of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u28o.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u28o.0.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
PID 2904 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
PID 2904 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
PID 2904 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
PID 2976 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
PID 2976 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 2332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 2332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 1816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 2564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2776 wrote to memory of 2564 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe

"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"

C:\Users\Admin\AppData\Local\Temp\u28o.0.exe

"C:\Users\Admin\AppData\Local\Temp\u28o.0.exe"

C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\u28o.3.exe

"C:\Users\Admin\AppData\Local\Temp\u28o.3.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae9758,0x7fef6ae9768,0x7fef6ae9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1240 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4004 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.50:80 download.iolo.net tcp
FR 143.244.56.50:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
RU 91.215.85.66:15647 tcp
RU 91.215.85.66:9000 91.215.85.66 tcp

Files

memory/2904-2-0x0000000002B90000-0x0000000002BFD000-memory.dmp

memory/2904-1-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2904-3-0x0000000000400000-0x0000000002B15000-memory.dmp

\Users\Admin\AppData\Local\Temp\u28o.0.exe

MD5 dce5dad83235fc6ed6a3be41c8a0c65a
SHA1 5322656bca0aca1f65ff6a8b9cc0a3f569ef9b73
SHA256 1f1e0fe8ed308f9eeb39dac12c4a1b880effc6c512b4d5f8222987a9cd260308
SHA512 6539754abe61b14abe3113304ff62eb90bf6abf38748d61c72c9b39cc23b36ee3a4fcd27f501528bb8d0bcdd505e7fbb7da30c425a4f7a267a96a106f530f190

memory/2200-20-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\U28O1~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u28o.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

\Users\Admin\AppData\Local\Temp\u28o.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u28o.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2976-162-0x0000000073640000-0x00000000737B4000-memory.dmp

memory/2976-163-0x00000000772C0000-0x0000000077469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u28o.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2904-169-0x0000000000400000-0x0000000002B15000-memory.dmp

\Users\Admin\AppData\Local\Temp\u28o.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2904-185-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2904-186-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/2200-203-0x0000000000400000-0x0000000002AF0000-memory.dmp

memory/2976-204-0x0000000073640000-0x00000000737B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de643c9c

MD5 436ec7a6805103a828addab17c831fac
SHA1 1abcacd48f21c42c5c22d8d1165e9aaac4239735
SHA256 873fa0fcdfbac2007eedc0db75b5ec6eaa4bc3e6a8a30d70817ae879558da810
SHA512 be503919fcd673f0553ff44e822c7e4c48dac976ba2673f74fcf0bb9c5ae37f72b84140bb90595bef62dd664fe0e713653a4ac2821f4af019e5b8f4e9e56cf7c

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b5c759e8ce47838fac72222551503672
SHA1 7d3d8f4ed5cc0e37b8ef46fee9d26e52e84a998d
SHA256 1f5500400edb367e238abd6ef0ac322db6767df82381729d9c7801cd54fbe3c1
SHA512 652495ca9d557611eb33b520021ba72b0d9510df4b3f0c8f6fbbbe49a4824026e13e31fc0bd513e41dfb33c49226677d0a506fbc45941f34a0bf5baa06bcb16e

memory/2200-223-0x0000000000400000-0x0000000002AF0000-memory.dmp

memory/560-224-0x00000000772C0000-0x0000000077469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4ac72c324a22c1acaff3e6d1955cacc3
SHA1 df94a32f3f7dc3500e428b66afa5532f79d5479d
SHA256 0c0867f6cec29b9c435fe93ba7eb5055dec011c25800032721201883fffa412b
SHA512 c19419150945b9adc65d42568c6b7873607f3a2ecf5ef676a4c7d30dce82ceb6c0e1305bb44e2da72c52d6da1efe93e12bf2a76b1e1073307b978c5f3b133438

memory/2092-278-0x0000000000400000-0x00000000008AD000-memory.dmp

\??\pipe\crashpad_2776_QREYEWLAGCZNKGYC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/560-338-0x0000000073640000-0x00000000737B4000-memory.dmp

memory/3040-358-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3040-357-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3040-356-0x00000000723A0000-0x0000000073402000-memory.dmp

memory/3040-376-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b03433d9d5293e5b403822c6888fcb5c
SHA1 b364ba0a8909be02526fa223cf81217618547c24
SHA256 b01ff61c6e9aa1a83a304cf845419fbd94a403aebea2e480c35e3a3628ba87f7
SHA512 92423cf455f7a1df8cde7b7d732b09df550169776500ed88d68a4af34df1b110763affe5b07c431c49bec69a4fc35a141e27aa95833261ee0a5c43454f1b5b76

C:\Users\Admin\AppData\Local\Temp\tmpC3CD.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 c1e24e4ac3ca8abe5e40e60c8a81ad8f
SHA1 27a059a9e90c373fc5e578edfc5d9aeae58c9386
SHA256 c11fc15cb79c0a13960fc31dcf1c81a88fa5bb9ec70cc61fe3e14148c55bfb66
SHA512 9d41cea622ee4c304502c775bbef8f56b3739a0503b544510c467d6949273142e8d2e01908daf9b90c3a49f79df8335bbbb588cc9c63f7f65cb46613f37d6efd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d43267e63280fd76135070aa950c404c
SHA1 871d6befbbdc85ff30b4b4fbb88f8c843ba120ab
SHA256 49922121198b9d853a97ce3ef3fda8db6329cc4d77afc26d0ee475ad89fcd630
SHA512 65e2397ac393b1a8c130673c3c7ddf2db3a2739e4fc5fa4da5556f0095e9ebc6ec84d79c7c954d6983e677776821c060846004431a19bbaad6f9c04c63c8a22b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 53791e3f645d18a0e11851910dd4cbfd
SHA1 1cd24462c72d7f115c161a6dc8bac1a09ecdb58c
SHA256 b282e183b0a536ba42de33d166c80cd05a5ed671078fd9032e77d0fea8ef3ebf
SHA512 e3842651573f2546edaa428e24c0b56aee14fedf7c2166ef90b5d48d0ded22fea947fb3f2b1575f1c757889b971512243f239cc1c46de8e679e83d55e54ab358

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 479a89ff1ab6a47e33d2c39cd0f505a3
SHA1 451f94ee479aadaa9bc4ad84b040ef09cf73ffaf
SHA256 faf030db67c5bc904339f3ecf77df457ea48ea5d6b28fdd09ed7b15390777ea8
SHA512 074b5613400ccadebae80cd9fe36c486db43fd57f892b7694eefd919c156a83538a38df818db51ec6bb67ae53d477b7e9eb142e10a07aec7b386f1787896ec44

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f755408b-7247-4a0a-a145-2d680c9bcc14.tmp

MD5 cf01a68a9dcb0bd7504c086c4641a58d
SHA1 2a1acbb6680302b8cb4527aef4a50796a5c758fa
SHA256 1648fedaf35f2d789dba58ca2312a399be008574294f26424dcad5a728e36754
SHA512 e7cabd2fdcb747984926a02e6a7ce3e2590f2c4eb25bf081b83474480d4e423cbc348a3d5e1061c7c5e15a3fe4d3cb7202557a3c484a69d31f5b1e46c27d3eef

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 16:29

Reported

2024-04-29 16:32

Platform

win10v2004-20240419-en

Max time kernel

70s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe

"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 696

Network

Country Destination Domain Proto
DE 185.172.128.90:80 tcp
DE 185.172.128.228:80 tcp
DE 185.172.128.59:80 tcp

Files

memory/1216-2-0x0000000004790000-0x00000000047FD000-memory.dmp

memory/1216-1-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/1216-3-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/1216-6-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/1216-7-0x0000000004790000-0x00000000047FD000-memory.dmp

memory/1216-9-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/1216-11-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/1216-13-0x0000000000400000-0x0000000002B15000-memory.dmp