Malware analysis CrowdStrike Malicious activity | ANY.RUN

Add for printing

File name:	CrowdStrike
Full analysis:	https://app.any.run/tasks/2e3c3060-0486-4049-8370-d43f8f0fbb23
Verdict:	Malicious activity
Analysis date:	July 21, 2024, 21:13:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion telegram
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	755C0350038DAEFB29B888B6F8739E81
SHA1:	5B2F56953B3C925693386CAE5974251479F03928
SHA256:	4491901EFF338AB52C85A77A3FBD3CE80FDA738046EE3B7DA7BE468DA5B331A3
SSDEEP:	98304:CO4TQUWqwtFki0Kgxu3EgjvhjHcAf5/3rk6+YCJ28ZAj/nb2kk/9HXwsWJt2UGfR:lEv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - CrowdStrike.exe (PID: 6348)
  - cmd.exe (PID: 7604)
  - RegAsm.exe (PID: 6084)
  - Champion.pif (PID: 6604)
  - RegAsm.exe (PID: 7332)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 6320)
  - findstr.exe (PID: 6912)
  - findstr.exe (PID: 5624)
  - findstr.exe (PID: 4972)
  - findstr.exe (PID: 5156)
  - findstr.exe (PID: 7660)
  - findstr.exe (PID: 7080)
  - findstr.exe (PID: 7292)
- Actions looks like stealing of personal data
  - RegAsm.exe (PID: 6084)
SUSPICIOUS
- Reads the date of Windows installation
  - CrowdStrike.exe (PID: 6348)
  - Champion.pif (PID: 6660)
  - CrowdStrike.exe (PID: 1144)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
- Reads security settings of Internet Explorer
  - CrowdStrike.exe (PID: 6348)
  - Champion.pif (PID: 6660)
  - CrowdStrike.exe (PID: 1144)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
- Executing commands from ".cmd" file
  - CrowdStrike.exe (PID: 6348)
  - CrowdStrike.exe (PID: 1144)
  - CrowdStrike.exe (PID: 3540)
  - CrowdStrike.exe (PID: 1144)
- Get information on the list of running processes
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 6288)
- Starts CMD.EXE for commands execution
  - CrowdStrike.exe (PID: 6348)
  - cmd.exe (PID: 7604)
  - Champion.pif (PID: 6660)
  - cmd.exe (PID: 7548)
  - CrowdStrike.exe (PID: 1144)
  - cmd.exe (PID: 7800)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
  - cmd.exe (PID: 6288)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 6288)
- Application launched itself
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 6288)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 7604)
  - Champion.pif (PID: 6604)
  - RegAsm.exe (PID: 6084)
  - RegAsm.exe (PID: 7332)
- Suspicious file concatenation
  - cmd.exe (PID: 2476)
  - cmd.exe (PID: 3792)
  - cmd.exe (PID: 7864)
  - cmd.exe (PID: 4076)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 7604)
- Starts application with an unusual extension
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 6288)
- The executable file from the user directory is run by the CMD process
  - Champion.pif (PID: 6660)
  - Champion.pif (PID: 6604)
  - Champion.pif (PID: 2968)
  - Champion.pif (PID: 3624)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 6288)
- Drops a system driver (possible attempt to evade defenses)
  - RegAsm.exe (PID: 6084)
  - RegAsm.exe (PID: 7332)
- The process creates files with name similar to system file names
  - Champion.pif (PID: 6604)
- Checks for external IP
  - RegAsm.exe (PID: 6084)
- Process drops legitimate windows executable
  - Champion.pif (PID: 6604)
- Starts a Microsoft application from unusual location
  - RegAsm.exe (PID: 6084)
  - RegAsm.exe (PID: 7332)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RegAsm.exe (PID: 6084)
- Executes application which crashes
  - GameBar.exe (PID: 6264)
  - RegAsm.exe (PID: 6084)
INFO
- Create files in a temporary directory
  - CrowdStrike.exe (PID: 6348)
  - CrowdStrike.exe (PID: 1144)
  - Champion.pif (PID: 6604)
  - RegAsm.exe (PID: 6084)
  - CrowdStrike.exe (PID: 3540)
  - CrowdStrike.exe (PID: 1144)
  - RegAsm.exe (PID: 7332)
- Checks supported languages
  - CrowdStrike.exe (PID: 6348)
  - Champion.pif (PID: 6660)
  - CrowdStrike.exe (PID: 1144)
  - Champion.pif (PID: 6604)
  - RegAsm.exe (PID: 6084)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
  - RegAsm.exe (PID: 7332)
  - Champion.pif (PID: 3624)
- Reads the computer name
  - CrowdStrike.exe (PID: 6348)
  - CrowdStrike.exe (PID: 1144)
  - Champion.pif (PID: 6660)
  - RegAsm.exe (PID: 6084)
  - Champion.pif (PID: 6604)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
  - Champion.pif (PID: 3624)
  - RegAsm.exe (PID: 7332)
- Process checks computer location settings
  - CrowdStrike.exe (PID: 6348)
  - Champion.pif (PID: 6660)
  - CrowdStrike.exe (PID: 1144)
  - CrowdStrike.exe (PID: 3540)
  - Champion.pif (PID: 2968)
  - CrowdStrike.exe (PID: 1144)
- Reads mouse settings
  - Champion.pif (PID: 6660)
  - Champion.pif (PID: 6604)
  - Champion.pif (PID: 2968)
  - Champion.pif (PID: 3624)
- Checks proxy server information
  - RegAsm.exe (PID: 6084)
- Manual execution by a user
  - CrowdStrike.exe (PID: 3540)
  - WerFault.exe (PID: 8160)
- Reads the machine GUID from the registry
  - RegAsm.exe (PID: 6084)
- Reads Environment values
  - RegAsm.exe (PID: 6084)
- Disables trace logs
  - RegAsm.exe (PID: 6084)
- Reads the software policy settings
  - RegAsm.exe (PID: 6084)
- Attempting to use instant messaging service
  - RegAsm.exe (PID: 6084)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:19:54+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	28160
InitializedDataSize:	446976
UninitializedDataSize:	16896
EntryPoint:	0x3883
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	CrowdStrike Updater
FileVersion:	1.0.0.0
InternalName:	CrowdStrike Updater.exe
LegalCopyright:	Copyright © 2024
LegalTrademarks:	-
OriginalFileName:	CrowdStrike Updater.exe
ProductName:	CrowdStrike
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

231

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

findstr /V "locatedflatrendsoperating" Ukraine

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

676

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1068

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1144

C:\Users\admin\Desktop\CrowdStrike.exe

—

cmd.exe

User:

admin

Integrity Level:

HIGH

Description:

CrowdStrike Updater

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\crowdstrike.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1144

C:\Users\admin\Desktop\CrowdStrike.exe

—

cmd.exe

User:

admin

Integrity Level:

HIGH

Description:

CrowdStrike Updater

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\crowdstrike.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1212

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Search application

Version:

10.0.19041.3996 (WinBuild.160101.0800)

1220

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

1332

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2476

cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2620

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

10 728

Read events

10 665

Write events

Delete events

Modification events


(PID) Process:	(6348) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6348) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6348) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6348) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6660) Champion.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6660) Champion.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6660) Champion.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6660) Champion.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1144) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1144) CrowdStrike.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

1 062

Text files

144

Unknown types

112

Dropped files

PID	Process	Filename		Type
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Democracy		binary
		MD5:DEE42E543988CD988E8AEB4B03F488EB	SHA256:8F444581168196C045FABDE65F1C0667154AFE2FE6302E7FF342AEFD3B6B829D
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Sept		mp3
		MD5:ED3292F153EC8B60B8F7FFB1CA9F0858	SHA256:1E8C217DF502D035EA3B1AC2212C20C9B9DA4DD6FF81D1C3C41A0AF00D8C0D5D
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Viagra		binary
		MD5:B6FE42E6BD0D9F4B87B6F73EF06A3D0B	SHA256:D1FBE283CCD1DB36BC91000CFB3694030DCC026FA1987118994B36C37E970E72
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Consequences		pgc
		MD5:19E98CBB75F1B8BD8EFDE5FE0ABD34B2	SHA256:DF0CB092CD377DF6571BB86BB48E586E1A5012EDBE1C8A180DE8BE3FAE080356
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Develops		binary
		MD5:6DB6B2AE5BAAE977FAE168E4A08641B4	SHA256:88C137E5726172061F509246ADA7D2D3CB8E5DABCF35CADF1D49C49B073A80A4
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Wave		binary
		MD5:E27F5F4215920D7C0DB01D3A07E32FAD	SHA256:C5A836D0021A235D4FC30764DFD4A2ABB33B23CA25F4DCA4A9BA7A8423F7753E
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Carroll		text
		MD5:9FAB9F640DB1F75FB8C18BFB50976ABD	SHA256:1FA1F7F0089F89E07406412C257AE546BB9728F7055F804E800E6C41A682C882
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Ferry		binary
		MD5:05607FDAAA89639249B09951F5624870	SHA256:11BDE3AF35BD166FEA20604167525CC28A2EB2FD0BC66B054C190AF00447F50C
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Often		abr
		MD5:8C1308689913B76D47B2FEA6C94378C6	SHA256:E0055A2B04595818CDC4B3C5EDB54539E5C3EDF69E134914E6BAD45AB56D0A04
6348	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Buyers		binary
		MD5:A001542705E46D08B5B2D97CD0706599	SHA256:EE55F2498F769CBAF5E60C7E3E28A93BEEE507083920CF9D18C9CA9043409E56

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	104.16.184.241:80	http://icanhazip.com/	unknown	—	—	shared
6084	RegAsm.exe	GET	200	104.16.184.241:80	http://icanhazip.com/	unknown	—	—	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4716	svchost.exe	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
532	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4716	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.160.17 20.190.160.22 40.126.32.72 40.126.32.133 40.126.32.68 20.190.160.14 40.126.32.134 40.126.32.136	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.74.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT	—	unknown
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	92.123.104.44 92.123.104.32 92.123.104.31 92.123.104.33 92.123.104.28 92.123.104.60 2.23.209.133 2.23.209.140 2.23.209.187 2.23.209.130 2.23.209.189 2.23.209.149	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted

Threats

PID	Process	Class	Message
6084	RegAsm.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2168	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
6084	RegAsm.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2168	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6084	RegAsm.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6084	RegAsm.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
—	—	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

Add for printing

No debug info

General Info

CrowdStrike

755C0350038DAEFB29B888B6F8739E81

5B2F56953B3C925693386CAE5974251479F03928

4491901EFF338AB52C85A77A3FBD3CE80FDA738046EE3B7DA7BE468DA5B331A3

98304:CO4TQUWqwtFki0Kgxu3EgjvhjHcAf5/3rk6+YCJ28ZAj/nb2kk/9HXwsWJt2UGfR:lEv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

Actions looks like stealing of personal data

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executing commands from ".cmd" file

Get information on the list of running processes

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Executable content was dropped or overwritten

Suspicious file concatenation

Drops a file with a rarely used extension (PIF)

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Uses TIMEOUT.EXE to delay execution

Drops a system driver (possible attempt to evade defenses)

The process creates files with name similar to system file names

Checks for external IP

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Executes application which crashes

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads mouse settings

Checks proxy server information

Manual execution by a user

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Reads the software policy settings

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity