Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
2k632W2O.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml
|
XML 1.0 document, ASCII text, with CRLF, CR line terminators
|
modified
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
Chrome Cache Entry: 50
|
ASCII text, with very long lines (3774)
|
downloaded
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\2k632W2O.exe
|
"C:\Users\user\Desktop\2k632W2O.exe"
|
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
/C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
|
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
/C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
|
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
|
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
/C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
|
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
/C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
|
||
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US
--service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144
--disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction
/prefetch:8
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 2 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.google.com/async/ddljson?async=ntp:2
|
142.250.189.132
|
||
|
https://www.google.com/async/newtab_promos
|
142.250.189.132
|
||
|
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
|
142.250.189.132
|
||
|
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
|
142.250.189.132
|
||
|
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOe2sLEGIjBr0MdO0BYOJHvE4c3r_MeYQPdjstJTWuR7MYyn8Z4PVcXCDLAhkZk0gANbn-kD57oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
|
142.250.189.132
|
||
|
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOe2sLEGIjCRQXKD8hfxz0ViO1eijFkmmx_OTjfe4iTZ5wTUpUMhz8i_7ZLVRoSzurhTqh7cwPUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
|
142.250.189.132
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
www.google.com
|
142.250.189.132
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
239.255.255.250
|
unknown
|
Reserved
|
||
|
142.250.189.132
|
www.google.com
|
United States
|
||
|
192.168.2.7
|
unknown
|
unknown
|
||
|
192.168.2.5
|
unknown
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1580000
|
trusted library allocation
|
page read and write
|
||
|
67B000
|
unkown
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
5C6000
|
unkown
|
page execute read
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
650000
|
unkown
|
page readonly
|
||
|
1544000
|
heap
|
page read and write
|
||
|
30F1000
|
heap
|
page read and write
|
||
|
965000
|
unkown
|
page execute read
|
||
|
107F000
|
unkown
|
page readonly
|
||
|
166C000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
166C000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1540000
|
heap
|
page read and write
|
||
|
171B000
|
heap
|
page read and write
|
||
|
5C0000
|
unkown
|
page readonly
|
||
|
5C1000
|
unkown
|
page execute read
|
||
|
2FA0000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
170E000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
2FA1000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
138C000
|
stack
|
page read and write
|
||
|
651000
|
unkown
|
page execute read
|
||
|
1544000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
107F000
|
unkown
|
page readonly
|
||
|
1544000
|
heap
|
page read and write
|
||
|
5F1000
|
unkown
|
page execute read
|
||
|
5C0000
|
unkown
|
page readonly
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
5F0000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
118C000
|
stack
|
page read and write
|
||
|
16C0000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1650000
|
heap
|
page read and write
|
||
|
14A0000
|
heap
|
page read and write
|
||
|
681000
|
unkown
|
page execute read
|
||
|
148E000
|
stack
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
5C5000
|
unkown
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
5EB000
|
unkown
|
page read and write
|
||
|
171B000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14D0000
|
trusted library allocation
|
page read and write
|
||
|
2FA1000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
3340000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
9F5000
|
unkown
|
page execute read
|
||
|
33B0000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1674000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
13F0000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
32D0000
|
heap
|
page read and write
|
||
|
194F000
|
stack
|
page read and write
|
||
|
1400000
|
heap
|
page read and write
|
||
|
1700000
|
heap
|
page read and write
|
||
|
128C000
|
stack
|
page read and write
|
||
|
5C3000
|
unkown
|
page readonly
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
FEF000
|
unkown
|
page readonly
|
||
|
15BA000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
165A000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
30F0000
|
heap
|
page read and write
|
||
|
656000
|
unkown
|
page execute read
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
655000
|
unkown
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
170A000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
30F1000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
965000
|
unkown
|
page execute read
|
||
|
653000
|
unkown
|
page readonly
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
9F5000
|
unkown
|
page execute read
|
||
|
1544000
|
heap
|
page read and write
|
||
|
1544000
|
heap
|
page read and write
|
||
|
144E000
|
stack
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
1675000
|
heap
|
page read and write
|
||
|
184F000
|
stack
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
FEF000
|
unkown
|
page readonly
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
650000
|
unkown
|
page readonly
|
||
|
165E000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
5E0000
|
heap
|
page read and write
|
||
|
57C000
|
stack
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
||
|
14A4000
|
heap
|
page read and write
|
There are 115 hidden memdumps, click here to show them.