Analysis Overview
SHA256
e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b
Threat Level: Known bad
The file e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Runningrat family
RunningRat
RunningRat payload
Sets DLL path for service in the registry
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Creates a Windows Service
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-18 17:48
Signatures
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Runningrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-18 17:48
Reported
2022-11-18 17:51
Platform
win7-20220812-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Stysm Prorest\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7071712.dll" | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Stysm Prorest.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Stysm Prorest.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\CMD.EXE | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe
"C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Stysm Prorest"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Stysm Prorest"
C:\Windows\SysWOW64\Stysm Prorest.exe
"C:\Windows\system32\Stysm Prorest.exe" "c:\users\admin\appdata\local\temp\7071712.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
Files
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
\??\c:\users\admin\appdata\local\temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
memory/1440-58-0x0000000000400000-0x0000000000415000-memory.dmp
\Windows\SysWOW64\Stysm Prorest.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/1460-60-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\Stysm Prorest.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
C:\Windows\SysWOW64\Stysm Prorest.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Users\Admin\AppData\Local\Temp\7071712.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-18 17:48
Reported
2022-11-18 17:51
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
RunningRat
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Stysm Prorest\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240550031.dll" | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Stysm Prorest.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Stysm Prorest.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Stysm Prorest.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\CMD.EXE | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe
"C:\Users\Admin\AppData\Local\Temp\e40081ecb6bb87bceb8fbe60569557246431b4e4bb5d2f6e370cb577265b2e3b.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Stysm Prorest"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Stysm Prorest"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1668
C:\Windows\SysWOW64\Stysm Prorest.exe
"C:\Windows\system32\Stysm Prorest.exe" "c:\users\admin\appdata\local\temp\240550031.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ilo.brenz.pl | udp |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
| N/A | 172.64.194.30:80 | ip.cn | tcp |
Files
memory/4964-132-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240550031.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
\??\c:\users\admin\appdata\local\temp\240550031.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
C:\Users\Admin\AppData\Local\Temp\240550031.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
memory/4964-136-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Windows\SysWOW64\Stysm Prorest.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/4184-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\240550031.dll
| MD5 | 8d50e0ddc6ec657765e41f5b2408561f |
| SHA1 | 3b6d7c4face9167061ed60ba09ac32e52d758d91 |
| SHA256 | 0ecb3b1b56c98ba24e10541e6638afbf91cc4ac680a9770650126e6d0ccd86da |
| SHA512 | 3b0ea7689f99ff7c11a49b6ea583916013ad48adbc1603594dcdf9c69bfe23d182208e74ff906c218484bf2c1550074a7de050b39f73aa3c0f2d26f8fdb36255 |
C:\Windows\SysWOW64\Stysm Prorest.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |