Malware Analysis Report

2024-09-22 11:38

Sample ID 230918-a7g2dsde6s
Target HAWB eHAWB 1 Copy516328125292121001.exe
SHA256 7efed1829051f94d9c430e22e88f59f64350397a1b0d355fd65951aee34d0f13
Tags
guloader remcos crypted discovery downloader rat hawkeye keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7efed1829051f94d9c430e22e88f59f64350397a1b0d355fd65951aee34d0f13

Threat Level: Known bad

The file HAWB eHAWB 1 Copy516328125292121001.exe was found to be: Known bad.

Malicious Activity Summary

guloader remcos crypted discovery downloader rat hawkeye keylogger spyware stealer trojan

Remcos

Guloader,Cloudeye

HawkEye

Checks computer location settings

Checks QEMU agent file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-09-18 00:51

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 00:51

Reported

2023-09-18 00:53

Platform

win7-20230831-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2356 N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\Alanson202.kul C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 doc-0s-0o-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0s-0o-docs.googleusercontent.com tcp
US 8.8.8.8:53 joerige38huilm1999.duckdns.org udp
US 45.62.170.73:2405 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

C:\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

\Users\Admin\AppData\Local\Temp\nsi4B05.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

memory/2220-48-0x00000000034C0000-0x0000000006584000-memory.dmp

memory/2220-49-0x00000000034C0000-0x0000000006584000-memory.dmp

memory/2220-50-0x0000000077370000-0x0000000077519000-memory.dmp

memory/2220-51-0x0000000077560000-0x0000000077636000-memory.dmp

memory/2220-52-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2356-53-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/2356-54-0x0000000077370000-0x0000000077519000-memory.dmp

memory/2356-55-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/2356-77-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-81-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/2356-82-0x0000000077370000-0x0000000077519000-memory.dmp

memory/2356-84-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-87-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-88-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-89-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-90-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-91-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-92-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-93-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-94-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/2356-95-0x00000000728F0000-0x0000000073952000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 00:51

Reported

2023-09-18 00:53

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

Signatures

Guloader,Cloudeye

downloader guloader

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4636 set thread context of 3392 N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\Alanson202.kul C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{93C6CFF4-2B32-4960-B242-32F998285BA3} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{8E882DD5-062D-4A54-BB02-B6306FC76A1F} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe

"C:\Users\Admin\AppData\Local\Temp\HAWB eHAWB 1 Copy516328125292121001.exe"

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 doc-0s-0o-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0s-0o-docs.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 joerige38huilm1999.duckdns.org udp
US 45.62.170.73:2405 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 73.170.62.45.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 45.62.170.73:2405 tcp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 45.62.170.73:2405 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

C:\Users\Admin\AppData\Local\Temp\nsjA9BE.tmp\BgImage.dll

MD5 3138dac7ef0377dc6a37ba84dc56badd
SHA1 ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
SHA256 227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
SHA512 f00ca4983cc7742b4a8fd8bd134952a4a95a73b38ab4015e1faa520b6bee4c925863b299c983a52884b39a8380bb113f25ef305d9cc8c6a87014affe05efc933

memory/4636-49-0x0000000002F00000-0x0000000005FC4000-memory.dmp

memory/4636-50-0x0000000002F00000-0x0000000005FC4000-memory.dmp

memory/4636-51-0x0000000077CE1000-0x0000000077E01000-memory.dmp

memory/4636-52-0x0000000077CE1000-0x0000000077E01000-memory.dmp

memory/4636-53-0x0000000010000000-0x0000000010006000-memory.dmp

memory/3392-54-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/3392-55-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/3392-56-0x0000000077D68000-0x0000000077D69000-memory.dmp

memory/3392-57-0x0000000077D85000-0x0000000077D86000-memory.dmp

memory/3392-70-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-74-0x00000000007C0000-0x0000000003884000-memory.dmp

memory/3392-76-0x0000000077CE1000-0x0000000077E01000-memory.dmp

memory/3392-77-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-80-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-81-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-82-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/1240-84-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-85-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-83-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-92-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-93-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-95-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-94-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-91-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-90-0x0000000002250000-0x0000000002251000-memory.dmp

memory/1240-89-0x0000000002250000-0x0000000002251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 29a19c228517194d13df9ce93fba9e23
SHA1 f0ffd23434e8dbb4cd300487b6b9a0159b349563
SHA256 4a9394570b48d5c0b9bcb2a6f3095b6ed84b5331b68a77276da2738b4568e1dc
SHA512 83f17d42a33f744ba2ab16ee3394f5c2d9f204cd45f89e20a71ed1a19046c5cb1b9a40ab950541b9f6de0f9fb79bcdd6ccbabfe8a81d9c751e8d3ad00ef9a9d2

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 f26bb32972cb07a3e023f813ef73664d
SHA1 e421857591665798ea3e2560f4c1b671541ec773
SHA256 f7c62eb772a0ba51fc696cc25fb1830b7f42ea9c879920db13f2236ba2bcba81
SHA512 a6bd302c5d4234e031f25e862a86f5c32cda9ddc2d6e0ee1663903b8edb317ba86f4f16cc1998095ca9fd255622c6c7c04609d5e0ffd5887c391a0c1e5e2a0eb

memory/3392-113-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-114-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-115-0x0000000073350000-0x00000000745A4000-memory.dmp

memory/3392-116-0x0000000073350000-0x00000000745A4000-memory.dmp