Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank

Details

Is windows:	true
Is dropped:	false
PID:	4276
Target ID:	0
Parent PID:	3312
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	09:08:51
Date:	05/01/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1776,i,3735756616294617513,1181315449176664881,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	4860
Target ID:	1
Parent PID:	4276
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1776,i,3735756616294617513,1181315449176664881,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	09:08:52
Date:	05/01/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" "http://87.225.105.173

Details

Is windows:	true
Is dropped:	false
PID:	6180
Target ID:	2
Parent PID:	3312
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "http://87.225.105.173
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	09:08:53
Date:	05/01/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://87.225.105.173

https://static.myqnapcloud.com/portal/static/js/903955a6.app-home.min.js

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/js/OverlayScrollbars.min.js

13.224.103.70

http://87.225.105.173:8080/photo/lib/simple.css?5.4.4.20170912

87.225.105.173

https://vars.hotjar.com/box-5e66f98b4ee957db209dc6f63e3d59dd.html

https://apis.google.com/js/client.js

142.251.209.46

https://static.hotjar.com/c/hotjar-1642270.js?sv=6

13.224.103.58

https://service.qnap.com/js/clipboard.min.js

44.239.5.172

http://87.225.105.173:8080/photo/

87.225.105.173

https://www.qnap.com/en-uk/support-ticket/

13.224.92.45

http://www.qnap.com/_jump/web/myqnapcloud.php?

13.224.92.45

https://service.qnap.com/images/home/icon_13.png

44.239.5.172

http://87.225.105.173:8080/photo/lang/ENG.js?5.4.4.20170912

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/img/utils/myqnapcloud-logo.svg

13.224.103.70

https://www.myqnapcloud.com/static/app/0dd0612a.ga.js

3.224.130.8

https://service.qnap.com/images/home/icon_05.png

44.239.5.172

https://static.myqnapcloud.com/portal/static/v3/img/utils/myqnapcloud-logo-cn.svg

13.224.103.70

https://service.qnap.com/images/icon-03.png

44.239.5.172

http://87.225.105.173:8080/v3_menu/fonts/Roboto/Roboto-Light.ttf

87.225.105.173

http://87.225.105.173:8080/photo/redirect.php

87.225.105.173

https://static.myqnapcloud.com/portal/static/img/util/notify-warning.jpg?v=3.0.2.1050

13.224.103.70

https://static.myqnapcloud.com/cloud_app/icon/organization-center.png

13.224.103.70

https://www.qnap.com/favicon.ico

13.224.92.45

https://static.myqnapcloud.com/portal/static/v3/img/utils/logo_twitter_white.svg

13.224.103.70

https://static.myqnapcloud.com/portal/static/js/05cce69d.lib-core.min.js

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/css/cookie-settings.css

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/img/header/ic-util-service-light.svg

13.224.103.70

https://service.qnap.com/css/bootstrap.min.css

44.239.5.172

http://87.225.105.173:8080/photo/gallery/assets/images/4-1.Loading_slice.png?5.4.4.20170912

87.225.105.173

https://static.myqnapcloud.com/cloud_app/icon/service-afobot.png

13.224.103.70

https://www.myqnapcloud.com/conf?v=3.0.2.1050

3.224.130.8

https://service.qnap.com/images/home/icon_07.png

44.239.5.172

https://static.myqnapcloud.com/portal/static/v3/img/utils/logo_youku.svg

13.224.103.70

https://service.qnap.com/images/home/icon_11.png

44.239.5.172

https://service.qnap.com/it-it

https://static.myqnapcloud.com/portal/static/js/angular-ga.js

13.224.103.70

https://support.myqnapcloud.com/news/feeds/rss?lang=en

13.224.103.40

http://87.225.105.173:8080/photo/

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1

142.250.184.78

https://static.myqnapcloud.com/portal/static/v3/img/utils/ic-pagination-next.svg

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/img/utils/logo_sina_weibo.svg

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/js/qc-overlayScrollbars.js

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/css/utils.css

13.224.103.70

http://87.225.105.173:8080/cgi-bin/language.cgi?1601949765

87.225.105.173

http://87.225.105.173:8080/v3_menu/pic/photo.png?5.4.4.20170912

87.225.105.173

https://static.myqnapcloud.com/portal/static/img/util/avatar-default.jpg?v=3.0.2.1050

13.224.103.70

http://87.225.105.173:8080/cgi-bin/sysinfoReq.cgi?qpkg=1

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/css/fonts.css

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/css/landing.css

13.224.103.70

https://static.myqnapcloud.com/cloud_app/icon/service-service-portal.png

13.224.103.70

https://static.myqnapcloud.com/cloud_app/icon/software-store.png

13.224.103.70

http://87.225.105.173:8080/cgi-bin/images/cmp/checkbox_radio/sprite.png?1601949765

87.225.105.173

https://service.qnap.com/images/favicon/favicon.png

44.239.5.172

https://static.myqnapcloud.com/cloud_app/icon/qmiix.png

13.224.103.70

http://87.225.105.173:8080/cgi-bin/language.cgi?undefined=1601949765

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/img/utils/logo_youtube_white.svg

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/img/illustration/illustration-landing-isometric-full.png

13.224.103.70

https://www.qnap.com/_jump/web/myqnapcloud.php?lang=undefined

13.224.92.45

http://87.225.105.173:8080/redirect.html?count=0.35395979719422654

87.225.105.173

http://87.225.105.173:8080/cgi-bin/js/qos-core-login.js?1601949765

87.225.105.173

http://87.225.105.173:8080/photo/p/api/utility.php?a=getSettings&_dc=1672906214184&json=1

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/img/header/ic-util-more-light.svg

13.224.103.70

http://87.225.105.173:8080/RSS/images/PhotoStation.gif?5.4.4

87.225.105.173

http://87.225.105.173:8080/v3_menu/css/qts-font.css?_dc=1601949765

87.225.105.173

http://87.225.105.173:8080/v3_menu/pic/photo.ico?5.4.4.20170912

87.225.105.173

http://87.225.105.173:8080/

87.225.105.173

https://static.myqnapcloud.com/cloud_app/icon/service-license-manager.png

13.224.103.70

https://www.qnap.com/_jump/web/myqnapcloud.php?

http://87.225.105.173:8080/cgi-bin/loginTheme/theme1/login-max-height-768.css?r=wall&1601949765

87.225.105.173

https://www.myqnapcloud.com/partials/alert

3.224.130.8

https://service.qnap.com/css/salesforce-lightning-design-system.min.css

44.239.5.172

https://service.qnap.com/images/home/kv-bg.jpg

44.239.5.172

https://static.myqnapcloud.com/portal/static/v3/fonts/roboto/roboto-v20-latin-regular.woff2

13.224.103.70

https://service.qnap.com/js/customer_portal.js

44.239.5.172

http://87.225.105.173:8080/cgi-bin/mediaGet.cgi?f=standard_bg&r=9604453

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/css/frame.css

13.224.103.70

https://service.qnap.com/images/home/icon_03.png

44.239.5.172

http://87.225.105.173:8080/v3_menu/pic/photo.png

87.225.105.173

https://static.myqnapcloud.com/portal/static/v3/css/common-page.css

13.224.103.70

http://87.225.105.173:8080/photo/images/common/loading.png

87.225.105.173

http://87.225.105.173:8080/v3_menu/css/qts-font.css?5.4.4.20170912

87.225.105.173

http://87.225.105.173:8080/photo/gallery/

https://www.myqnapcloud.com/%7B%7B%20info.send_user_avatar%20%7D%7D

3.224.130.8

https://vars.hotjar.com/box-5e66f98b4ee957db209dc6f63e3d59dd.html

13.224.103.105

https://static.myqnapcloud.com/portal/static/v3/css/OverlayScrollbars.min.css

13.224.103.70

https://service.qnap.com/images/home/icon_04.png

44.239.5.172

https://static.myqnapcloud.com/portal/static/v3/img/utils/china_jin_icon.png

13.224.103.70

https://service.qnap.com/js/app.js

44.239.5.172

http://87.225.105.173:8080/photo/javascript/gallery-5.4.4.20170912.js

87.225.105.173

http://87.225.105.173:8080/cgi-bin/mediaGet.cgi?f=standard_logo&r=9604453

87.225.105.173

https://static.myqnapcloud.com/cloud_app/icon/amiz-cloud.png

13.224.103.70

http://87.225.105.173:8080/photo/gallery/

87.225.105.173

https://www.myqnapcloud.com/?lang=en

https://service.qnap.com/images/home/icon_14.png

44.239.5.172

https://event.qnap.com/mtc.js

44.231.109.77

http://87.225.105.173:8080/cgi-bin/jc.cgi?_dc=1601949765&t=js&f=jquery-1.10.2.min.js

87.225.105.173

https://service.qnap.com/images/home/icon_06.png

44.239.5.172

http://87.225.105.173:8080/cgi-bin/loginTheme/theme1/login.js?1601949765

87.225.105.173

https://static.myqnapcloud.com/portal/static/js/a0218c7c.lib-basic.min.js

13.224.103.70

https://static.myqnapcloud.com/portal/static/v3/img/common/common-page-background.png

13.224.103.70

https://service.qnap.com/it-it

44.239.5.172

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

wiki.qnap.com

113.196.188.102

accounts.google.com

142.251.209.13

plus.l.google.com

142.251.209.46

d2owpi6pesstcp.cloudfront.net

13.224.92.62

dm3svrx1h6ahx.cloudfront.net

13.224.103.70

vars.hotjar.com

13.224.103.105

qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com

3.224.130.8

script.hotjar.com

13.224.103.124

forum.qnap.com

113.196.74.119

d14bb9kjiikrqu.cloudfront.net

13.224.103.40

www.google.com

142.250.184.36

clients.l.google.com

142.250.184.78

pro-customerportal-elb-132101016.us-west-2.elb.amazonaws.com

44.239.5.172

event.qnap.com

44.231.109.77

static-cdn.hotjar.com

13.224.103.58

support.myqnapcloud.com

unknown

static.myqnapcloud.com

unknown

clients2.google.com

unknown

service.qnap.com

unknown

www.myqnapcloud.com

unknown

static.hotjar.com

unknown

account.qnap.com

unknown

www.qnap.com

unknown

apis.google.com

unknown

There are 14 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

13.224.103.105

vars.hotjar.com

United States

192.168.2.1

unknown

3.224.130.8

qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com

United States

13.224.103.124

script.hotjar.com

United States

13.224.103.40

d14bb9kjiikrqu.cloudfront.net

United States

142.251.209.13

accounts.google.com

United States

13.224.103.58

static-cdn.hotjar.com

United States

87.225.105.173

unknown

Russian Federation

142.250.184.78

clients.l.google.com

United States

13.224.103.70

dm3svrx1h6ahx.cloudfront.net

United States

142.250.184.36

www.google.com

United States

13.224.92.45

unknown

United States

142.251.209.46

plus.l.google.com

United States

239.255.255.250

unknown

Reserved

44.239.5.172

pro-customerportal-elb-132101016.us-west-2.elb.amazonaws.com

United States

44.231.109.77

event.qnap.com

United States

18.208.44.198

unknown

United States

127.0.0.1

unknown

There are 8 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

ahfgeienlihckogmohjhadlkjgocpleb

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

mhjfbmdgcfjbbpaeojofohoefgiehjai

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics

user_experience_metrics.stability.exited_cleanly

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.cdm.origin_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.reporting

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.storage_id_salt

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

module_blocklist_cache_md5_digest

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_seed

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

default_search_provider_data.template_url_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

safebrowsing.incidents_sent

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

pinned_tabs

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

browser.show_home_button

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

search_provider_overrides

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_default_search

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_version

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_username

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.restore_on_startup

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.prompt_wave

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage_is_newtabpage

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_USERSS-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry

TraceTimeLast

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

There are 44 hidden registries, click here to show them.

DOM / HTML

URL

Malicious

http://87.225.105.173:8080/cgi-bin/

https://www.qnap.com/_jump/web/myqnapcloud.php?

https://vars.hotjar.com/box-5e66f98b4ee957db209dc6f63e3d59dd.html

https://www.myqnapcloud.com/?lang=en

http://87.225.105.173:8080/photo/

https://service.qnap.com/it-it

http://87.225.105.173:8080/photo/gallery/

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
http://87.225.105.173

Processes

URLs

Domains

IPs

Registry

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttp://87.225.105.173

Processes

URLs

Domains

IPs

Registry

DOM / HTML

IOC Report
http://87.225.105.173