Analysis Overview
SHA256
5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c
Threat Level: Known bad
The file 5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Detects binaries and memory artifacts referencing sandbox product IDs
UPX dump on OEP (original entry point)
Modifies Installed Components in the registry
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-02 21:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 21:49
Reported
2024-05-02 21:52
Platform
win7-20231129-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Detects binaries and memory artifacts referencing sandbox product IDs
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\ | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe |
| PID 820 set thread context of 1276 | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Windows\SysWOW64\msnmsg\server.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
"C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe"
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
"C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe"
C:\Windows\SysWOW64\msnmsg\server.exe
"C:\Windows\system32\msnmsg\server.exe"
C:\Windows\SysWOW64\msnmsg\server.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2364-0-0x0000000000400000-0x000000000040A001-memory.dmp
memory/2364-3-0x0000000000260000-0x000000000026B000-memory.dmp
memory/2312-4-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-6-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2364-13-0x0000000000400000-0x000000000040A001-memory.dmp
memory/2312-14-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-11-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2312-8-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-16-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-17-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-15-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-18-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2312-21-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1372-22-0x0000000002E60000-0x0000000002E61000-memory.dmp
memory/1444-267-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1444-266-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1444-554-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Windows\SysWOW64\msnmsg\server.exe
| MD5 | e51b2c0f6c877c1a8b0ad4bc67458fef |
| SHA1 | d6af1ac5e6fb2753e6129871ca59ec11a6e740fa |
| SHA256 | 5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c |
| SHA512 | cf3d222a699f73a2a50c9e81c2eb4c6d9cb11066b578c83332fa64eeccb200e373bf6dc2d971db72df0d53cbe7b8c622dfb4741437c3e3475a772fbd8d0dbde6 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 51ad3268165a878e5a1dd0ca508005db |
| SHA1 | a395ef00eb1b70fdf6bc7899e98a939caec835fb |
| SHA256 | e5a18c91e4d7a602092ef02a665fb03a0e9e1cf6e904f7990bc41cab2dbe5c26 |
| SHA512 | 1327c6193cfdec63a52e1f928d7c67c1e517330e9236b801163bb424eb60eedf2a3fba785be48b7c1f2554a0cf720ab686f94ffd2d833ae8ea002bd4cad074c3 |
memory/2312-578-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2312-887-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/820-3292-0x0000000000400000-0x000000000040A001-memory.dmp
memory/2292-3291-0x0000000006190000-0x000000000619B000-memory.dmp
memory/820-3304-0x0000000000400000-0x000000000040A001-memory.dmp
memory/1276-3307-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1276-3533-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6f54e927eb5501d2ed9916cfd3191f8a |
| SHA1 | a0b64b086782fef28a29bde774774b884b3046c0 |
| SHA256 | 091254baf295cb892ed8aa86e3cc1fcc66361952ceaa46a130edab16d5684694 |
| SHA512 | de40a3942b56cc72e706610b6a70797468415ce2a5046e1dfae0c3f77652233cf3a2442ac1a712bd957cbe0e281d8e58e23d76b75ea0e172dd6331c8755c1fde |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b43f9815d5930a713b49224633d4e499 |
| SHA1 | 795ceae28929911ad9110c74e1f6a10aa7ca8b89 |
| SHA256 | 6baa3b3763f868729f5036635f9b9f4f15b5780959381bea16e2f38ff295e0e0 |
| SHA512 | 0fdc9d7500a400dd5700087e6c2e7183aae518ba770bb13549d7365d6d3799fc525f5988ad11eee724bf89cd5baae2b20c7883d25f18eebefeef8b1c18a232a5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e4df6adef918aa7af7cf302ecc891443 |
| SHA1 | 88ebcc926bd8162ffed59ff17e6204defd6fb013 |
| SHA256 | bd1ea0878a9c64a224accbde95e1539263ad37256c0ae724376a6645a1f1f635 |
| SHA512 | 65f351d1b0313a5582b66e9bf55f963c150229d256125c71c2875b15d60a38698205cca06e19f3cc27fc01f9eff2a76fb60926d9e2b902cd1c6ac4bf7b46d075 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd74633456fb619ac9f73869cc61f817 |
| SHA1 | 74fd5ea5ad0560e8c8e2c027c3056d2ba04afeaf |
| SHA256 | bb31cb633697a41b6f00fcfdcafafb322e36186e14962d5fe02f98ba5b811fc6 |
| SHA512 | 4ab666444326b477e3cabeda543cb0ef6255efc5a90d3b9a4386092c74fc898a2307d5841e102f009502d567a4806a091d983c3a72880f6c429965934f8a1675 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf91b9bd1ba6ec5c35ff297894348bc5 |
| SHA1 | cc7182c54c113e5f880dd3ac5d5731bac8da020c |
| SHA256 | 06261e3481daa80bc3645284804da052ac8e9dc5ca79e901f455f02a3ad0e29e |
| SHA512 | c5bbb171c91c301de789214058d118965a88acbb33d39815182d5c0859d2c61abc0941aa6576c15d30c5f3f19ff4d89bc007d73369307fb9a01e58951981f52e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1de7e7775caefae2c1251edb5abadac7 |
| SHA1 | 97efffc6bcabc3883078c03417aaff0ddd5b95ed |
| SHA256 | 1d5094727cbf2a133bae2412a8444a114995595d874fc49bee843114afaa36de |
| SHA512 | aa94d49fbfe0a683b4fc1e9af283bf87f3e0d95ea71817c4ac3120c2ebbf1b547bc10caa1073af1d7f02c8391ba6752ffaf9a9e6d44f69144ec7704448b276c9 |
memory/1444-3827-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0643322d1e182741bb0675daa0163974 |
| SHA1 | f28621d615541920e02ad9f6d0f4a21af606b17c |
| SHA256 | a7b98271b87398d0a949146298b21c5a45a06d7b07369a02e2402837cdfe503d |
| SHA512 | 05a2209fd6473422f12076609cd506b6c44d30fd5e56923441f65261340df973a2fd85767417a1788d1ed679c43f593b0cbcec4c257e6c0c752477575535a7b3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ba92ab58a79a04bb22d7a191d80d5a45 |
| SHA1 | 5e1d091fbdc9c7b6fff94f6b992da7d0a9afbcbf |
| SHA256 | d151c21003326c451d6ab7077959c74b4c3db54f4b7af1ac4809fe6cf35be3ef |
| SHA512 | c0724bddd489102633dc5e6b569f04457e8b0e7c0127b9ff3a71fafa424422a66ac0165d41ba7d48cd7665b76423e1c8fcc6782d1e616ffcbf8a4a8435fb5336 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6d74ce4677d7bedadf3a3a714dc529f6 |
| SHA1 | ec07c02e3cee01bedcabecffc367d6439ce750c8 |
| SHA256 | fbb9ebf532472ea8bc2ebe31bcb52149019ea6fabac48601789ebf261bdbed5f |
| SHA512 | b806d80706203f5878294f34478777c90e2774337d6b38a09855830601c93389ad1e64c34e25885e0eb9d2abd9bffc5dffc2d6e1274f815d3ea69f7469b6d22c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 72718c3c34f57b8d3ff117b8eca3840b |
| SHA1 | 7d691b66532389a3be75a509d5e6ca5881ce1506 |
| SHA256 | f64885f3b22ec23b76cff323dc3bc257e1c4b2348d279f87b3256dfa945d8ac6 |
| SHA512 | 2a0505adf73206358785eec28c716b22929a08637e7117c7aac634f5011bb852f51f66721a5ce8144e48296ab518c81921e458ef51c73cc87df605b0ac9643a0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f26d078dfca2d375498acb9ec2c4c0fe |
| SHA1 | a060d962ad78695a961adbcbe4619df64c0f71af |
| SHA256 | ae264655f46bd9d2071dea78b269f6bc8c2b92e7bdd6461a5c58064a76ce56d0 |
| SHA512 | 58bea99b79c46cd6ec97ff1d03a748311cc715766605c0b570acd67d59d4b4bf3ffb067a8e30d33d5ff244df658317caa399b5a85bcce2ddf5d8aa8ca90c0eb1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 13a9b52c6da2a017f7e5036ce3a863d2 |
| SHA1 | 9b987213f5fbe19e6053efd94b8f3b0835bc15da |
| SHA256 | 1388203c279489ef9e538840edb0c5e68db7190c7a9e6d7a6586f410ec1680b8 |
| SHA512 | 25a53dcea16ad4b8ff323db18d44142caef251e78d4b264d9fd4640b8037d97223ed9375e81bac3822498f02d412f0dd5142e6a51a7786eba81915ca5a57c2eb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 00efc0f07a122fc377df4ca3b85f6e07 |
| SHA1 | a3feed882097fbc1234d8673d00400a837cc085b |
| SHA256 | a52bc98eef2fdd46dbcf53319de53442181fe0c10861fa550ce9e77cac8eb610 |
| SHA512 | 0f1cda6f33fc3020f97a0baf6bf14c76f8753d7c41b66d053da454a96ee2037994bb2d2dda373883cd221f9c04201832e538c464536a5806442bd5fe14e3ce24 |
memory/2292-4278-0x0000000006190000-0x000000000619B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f6f492e789bfb2a5b48a4bc47734f89c |
| SHA1 | 42cdd9f9605ff3e2b3e586876f020d7a73c29ea5 |
| SHA256 | f05fd198f980d3797361f0c4bcff306c82d707182d9e33a5b7522d80d17bbc5a |
| SHA512 | 76ac4ede0e25a39c67d6537f2ab0baff01d76a5475384986eda30cb8a13fe0ce3df5a589fabc4499727da6c256665d71d07554265fd03a33cb41c0d078731abc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 366d37b8b2b7da3126e42584229491bf |
| SHA1 | 010b61616285095e8afa20e80f15e366faa37eb3 |
| SHA256 | 6b326e3ec5ac1e48fcfcc9bf2c11bcc87f9d0a0ddb1c5408cae7d2c940007aa4 |
| SHA512 | 0a44e755fe93f36b80d5d242a0147bb123fffa8ae5c32280f80ad962f32d7c390c1bb772ca92eeef1b46c4d3d5aaea466955b81dd8ee8bb4dab202ef61a24907 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7453cebf0a70598f28093ae2726cc572 |
| SHA1 | 6b1fa5cce3f4408dcc2094bbce4d11234d9e0ee8 |
| SHA256 | 871183b4ce9ee1d13483cc7be699a07858d35c9b874699ed1994924bc8f263a5 |
| SHA512 | 6806d2167fff32ee557ef406d2dc7f8e94d9b66af94e1a1e4095034d1778aba392abd8e99f16a77162c0ebacffac8e1188b8a1b770086e8cf3b2e7d41dd5cf7e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4f05619874b1319b313dd163a9c4ac00 |
| SHA1 | 92db79ef30391bac470c0804973a281b02b7b283 |
| SHA256 | 7164957bf4b87ada295daf74c31685bff29ae4a0a4b0579b19112c5934d81841 |
| SHA512 | cb4e2716069a0510b409334f8de228cf5dc38ee0a7dcd5eb3cdb63f449a903156f3fa6d0c9e2384af4a9a7aec190d4a7fe88a86397828695080f19109d6d9126 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 234656b339a4b4ffe46da3e2f0831e60 |
| SHA1 | b54345f354d131595a69e0305e34c32b88e2b3c6 |
| SHA256 | a9714cbd1b23cb842cbbf9d4bf518a128fa9778f93e6c145d81832576a628283 |
| SHA512 | cd9e07feb7837f1f8320d035a5815ceb6cc5a4c5cf7af9ce83eabebf127e180a371ae67325d19125efb887edeee8f2ce2ac98a4443e535b5af990b4624f83bea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7c8fa83f3f29341b43bde64a0bc806a5 |
| SHA1 | ffc5dc09e1c56a3817cdc058c56e214631eaaefb |
| SHA256 | b96046b09a725ab2729b8cf807b1ad7458e16a0728c919f0410fd66c402588ba |
| SHA512 | ae3161843178d0086f85d1e03d62de97a8c2324a7f718f0da6b609f38dfa5c6007fb2b762efc9c78a693c69349a90dd919179b77ae1a45544d2b97b927c55a19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-02 21:49
Reported
2024-05-02 21:52
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Detects binaries and memory artifacts referencing sandbox product IDs
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msnmsg\\server.exe" | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\ | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3492 set thread context of 336 | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe |
| PID 3076 set thread context of 1016 | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | C:\Windows\SysWOW64\msnmsg\server.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\msnmsg\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WerFault.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msnmsg\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
"C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe"
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe
"C:\Users\Admin\AppData\Local\Temp\5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c.exe"
C:\Windows\SysWOW64\msnmsg\server.exe
"C:\Windows\system32\msnmsg\server.exe"
C:\Windows\SysWOW64\msnmsg\server.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 564
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2396 -ip 2396
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.126.19.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 50.28.101.95.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/3492-0-0x0000000000400000-0x000000000040A001-memory.dmp
memory/336-4-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3492-8-0x0000000000400000-0x000000000040A001-memory.dmp
memory/336-7-0x0000000000400000-0x0000000000459000-memory.dmp
memory/336-6-0x0000000000400000-0x0000000000459000-memory.dmp
memory/336-9-0x0000000000400000-0x0000000000459000-memory.dmp
memory/336-12-0x0000000024010000-0x0000000024072000-memory.dmp
memory/2884-18-0x0000000000420000-0x0000000000421000-memory.dmp
memory/2884-17-0x0000000000160000-0x0000000000161000-memory.dmp
memory/336-16-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2884-78-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Windows\SysWOW64\msnmsg\server.exe
| MD5 | e51b2c0f6c877c1a8b0ad4bc67458fef |
| SHA1 | d6af1ac5e6fb2753e6129871ca59ec11a6e740fa |
| SHA256 | 5079a73b97bf2544ef1789a7562becb50e2f01aeb2273779c44b8e8e44064a4c |
| SHA512 | cf3d222a699f73a2a50c9e81c2eb4c6d9cb11066b578c83332fa64eeccb200e373bf6dc2d971db72df0d53cbe7b8c622dfb4741437c3e3475a772fbd8d0dbde6 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 51ad3268165a878e5a1dd0ca508005db |
| SHA1 | a395ef00eb1b70fdf6bc7899e98a939caec835fb |
| SHA256 | e5a18c91e4d7a602092ef02a665fb03a0e9e1cf6e904f7990bc41cab2dbe5c26 |
| SHA512 | 1327c6193cfdec63a52e1f928d7c67c1e517330e9236b801163bb424eb60eedf2a3fba785be48b7c1f2554a0cf720ab686f94ffd2d833ae8ea002bd4cad074c3 |
memory/1160-88-0x0000000000400000-0x000000000040A001-memory.dmp
memory/336-150-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1160-151-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/3076-448-0x0000000000400000-0x000000000040A001-memory.dmp
memory/1016-619-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b43f9815d5930a713b49224633d4e499 |
| SHA1 | 795ceae28929911ad9110c74e1f6a10aa7ca8b89 |
| SHA256 | 6baa3b3763f868729f5036635f9b9f4f15b5780959381bea16e2f38ff295e0e0 |
| SHA512 | 0fdc9d7500a400dd5700087e6c2e7183aae518ba770bb13549d7365d6d3799fc525f5988ad11eee724bf89cd5baae2b20c7883d25f18eebefeef8b1c18a232a5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e4df6adef918aa7af7cf302ecc891443 |
| SHA1 | 88ebcc926bd8162ffed59ff17e6204defd6fb013 |
| SHA256 | bd1ea0878a9c64a224accbde95e1539263ad37256c0ae724376a6645a1f1f635 |
| SHA512 | 65f351d1b0313a5582b66e9bf55f963c150229d256125c71c2875b15d60a38698205cca06e19f3cc27fc01f9eff2a76fb60926d9e2b902cd1c6ac4bf7b46d075 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd74633456fb619ac9f73869cc61f817 |
| SHA1 | 74fd5ea5ad0560e8c8e2c027c3056d2ba04afeaf |
| SHA256 | bb31cb633697a41b6f00fcfdcafafb322e36186e14962d5fe02f98ba5b811fc6 |
| SHA512 | 4ab666444326b477e3cabeda543cb0ef6255efc5a90d3b9a4386092c74fc898a2307d5841e102f009502d567a4806a091d983c3a72880f6c429965934f8a1675 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf91b9bd1ba6ec5c35ff297894348bc5 |
| SHA1 | cc7182c54c113e5f880dd3ac5d5731bac8da020c |
| SHA256 | 06261e3481daa80bc3645284804da052ac8e9dc5ca79e901f455f02a3ad0e29e |
| SHA512 | c5bbb171c91c301de789214058d118965a88acbb33d39815182d5c0859d2c61abc0941aa6576c15d30c5f3f19ff4d89bc007d73369307fb9a01e58951981f52e |
memory/2884-842-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1de7e7775caefae2c1251edb5abadac7 |
| SHA1 | 97efffc6bcabc3883078c03417aaff0ddd5b95ed |
| SHA256 | 1d5094727cbf2a133bae2412a8444a114995595d874fc49bee843114afaa36de |
| SHA512 | aa94d49fbfe0a683b4fc1e9af283bf87f3e0d95ea71817c4ac3120c2ebbf1b547bc10caa1073af1d7f02c8391ba6752ffaf9a9e6d44f69144ec7704448b276c9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0643322d1e182741bb0675daa0163974 |
| SHA1 | f28621d615541920e02ad9f6d0f4a21af606b17c |
| SHA256 | a7b98271b87398d0a949146298b21c5a45a06d7b07369a02e2402837cdfe503d |
| SHA512 | 05a2209fd6473422f12076609cd506b6c44d30fd5e56923441f65261340df973a2fd85767417a1788d1ed679c43f593b0cbcec4c257e6c0c752477575535a7b3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ba92ab58a79a04bb22d7a191d80d5a45 |
| SHA1 | 5e1d091fbdc9c7b6fff94f6b992da7d0a9afbcbf |
| SHA256 | d151c21003326c451d6ab7077959c74b4c3db54f4b7af1ac4809fe6cf35be3ef |
| SHA512 | c0724bddd489102633dc5e6b569f04457e8b0e7c0127b9ff3a71fafa424422a66ac0165d41ba7d48cd7665b76423e1c8fcc6782d1e616ffcbf8a4a8435fb5336 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6d74ce4677d7bedadf3a3a714dc529f6 |
| SHA1 | ec07c02e3cee01bedcabecffc367d6439ce750c8 |
| SHA256 | fbb9ebf532472ea8bc2ebe31bcb52149019ea6fabac48601789ebf261bdbed5f |
| SHA512 | b806d80706203f5878294f34478777c90e2774337d6b38a09855830601c93389ad1e64c34e25885e0eb9d2abd9bffc5dffc2d6e1274f815d3ea69f7469b6d22c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 72718c3c34f57b8d3ff117b8eca3840b |
| SHA1 | 7d691b66532389a3be75a509d5e6ca5881ce1506 |
| SHA256 | f64885f3b22ec23b76cff323dc3bc257e1c4b2348d279f87b3256dfa945d8ac6 |
| SHA512 | 2a0505adf73206358785eec28c716b22929a08637e7117c7aac634f5011bb852f51f66721a5ce8144e48296ab518c81921e458ef51c73cc87df605b0ac9643a0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f26d078dfca2d375498acb9ec2c4c0fe |
| SHA1 | a060d962ad78695a961adbcbe4619df64c0f71af |
| SHA256 | ae264655f46bd9d2071dea78b269f6bc8c2b92e7bdd6461a5c58064a76ce56d0 |
| SHA512 | 58bea99b79c46cd6ec97ff1d03a748311cc715766605c0b570acd67d59d4b4bf3ffb067a8e30d33d5ff244df658317caa399b5a85bcce2ddf5d8aa8ca90c0eb1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 13a9b52c6da2a017f7e5036ce3a863d2 |
| SHA1 | 9b987213f5fbe19e6053efd94b8f3b0835bc15da |
| SHA256 | 1388203c279489ef9e538840edb0c5e68db7190c7a9e6d7a6586f410ec1680b8 |
| SHA512 | 25a53dcea16ad4b8ff323db18d44142caef251e78d4b264d9fd4640b8037d97223ed9375e81bac3822498f02d412f0dd5142e6a51a7786eba81915ca5a57c2eb |
memory/1160-1521-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 00efc0f07a122fc377df4ca3b85f6e07 |
| SHA1 | a3feed882097fbc1234d8673d00400a837cc085b |
| SHA256 | a52bc98eef2fdd46dbcf53319de53442181fe0c10861fa550ce9e77cac8eb610 |
| SHA512 | 0f1cda6f33fc3020f97a0baf6bf14c76f8753d7c41b66d053da454a96ee2037994bb2d2dda373883cd221f9c04201832e538c464536a5806442bd5fe14e3ce24 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f6f492e789bfb2a5b48a4bc47734f89c |
| SHA1 | 42cdd9f9605ff3e2b3e586876f020d7a73c29ea5 |
| SHA256 | f05fd198f980d3797361f0c4bcff306c82d707182d9e33a5b7522d80d17bbc5a |
| SHA512 | 76ac4ede0e25a39c67d6537f2ab0baff01d76a5475384986eda30cb8a13fe0ce3df5a589fabc4499727da6c256665d71d07554265fd03a33cb41c0d078731abc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 366d37b8b2b7da3126e42584229491bf |
| SHA1 | 010b61616285095e8afa20e80f15e366faa37eb3 |
| SHA256 | 6b326e3ec5ac1e48fcfcc9bf2c11bcc87f9d0a0ddb1c5408cae7d2c940007aa4 |
| SHA512 | 0a44e755fe93f36b80d5d242a0147bb123fffa8ae5c32280f80ad962f32d7c390c1bb772ca92eeef1b46c4d3d5aaea466955b81dd8ee8bb4dab202ef61a24907 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7453cebf0a70598f28093ae2726cc572 |
| SHA1 | 6b1fa5cce3f4408dcc2094bbce4d11234d9e0ee8 |
| SHA256 | 871183b4ce9ee1d13483cc7be699a07858d35c9b874699ed1994924bc8f263a5 |
| SHA512 | 6806d2167fff32ee557ef406d2dc7f8e94d9b66af94e1a1e4095034d1778aba392abd8e99f16a77162c0ebacffac8e1188b8a1b770086e8cf3b2e7d41dd5cf7e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4f05619874b1319b313dd163a9c4ac00 |
| SHA1 | 92db79ef30391bac470c0804973a281b02b7b283 |
| SHA256 | 7164957bf4b87ada295daf74c31685bff29ae4a0a4b0579b19112c5934d81841 |
| SHA512 | cb4e2716069a0510b409334f8de228cf5dc38ee0a7dcd5eb3cdb63f449a903156f3fa6d0c9e2384af4a9a7aec190d4a7fe88a86397828695080f19109d6d9126 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 234656b339a4b4ffe46da3e2f0831e60 |
| SHA1 | b54345f354d131595a69e0305e34c32b88e2b3c6 |
| SHA256 | a9714cbd1b23cb842cbbf9d4bf518a128fa9778f93e6c145d81832576a628283 |
| SHA512 | cd9e07feb7837f1f8320d035a5815ceb6cc5a4c5cf7af9ce83eabebf127e180a371ae67325d19125efb887edeee8f2ce2ac98a4443e535b5af990b4624f83bea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7c8fa83f3f29341b43bde64a0bc806a5 |
| SHA1 | ffc5dc09e1c56a3817cdc058c56e214631eaaefb |
| SHA256 | b96046b09a725ab2729b8cf807b1ad7458e16a0728c919f0410fd66c402588ba |
| SHA512 | ae3161843178d0086f85d1e03d62de97a8c2324a7f718f0da6b609f38dfa5c6007fb2b762efc9c78a693c69349a90dd919179b77ae1a45544d2b97b927c55a19 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6cfcce9a3071ae55342bdd21f030f6e7 |
| SHA1 | f5313fac0ab9bedd6afdc55443684e71edc57f7d |
| SHA256 | 8675af2415b051ce886b7843b9ad29dbd6930e2092fcf18fe7f215609cdc8bb2 |
| SHA512 | 57241068a613c7f1eb279f81ff742ba189c414a706b8480220cd6f94cef3ac4a0c5f4a8fcddfb4adba0b904099e87c2a9370de6532c9edb7cb126179b9547cdd |