Malware analysis 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe Malicious activity

Add for printing

File name:	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe
Full analysis:	https://app.any.run/tasks/ce1c3f2e-cd89-493b-b81f-dfc3bad90893
Verdict:	Malicious activity
Analysis date:	March 05, 2024, 13:47:39
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	5A1233C02E6CC4579E49D7202D847A2D
SHA1:	57A710D0FDB3EF443A02382F933F591A6493EE74
SHA256:	5C53130B90F4F30685808B7B19A04751FB4EA3B922F5FAB599DF88BBE7CFC529
SSDEEP:	49152:xKEkzIzb9f9QL03ABBjBzwbZVrZFtqE+bHxXW2E+6ikhHMP/+4kUM:xKEhf9QLzvj2bXan04

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Scans artifacts that could help determine the target
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Drops the executable file immediately after the start
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Application was injected by another process
  - powershell.exe (PID: 2368)
- Runs injected code in another process
  - powershell.exe (PID: 6600)
SUSPICIOUS
- The process bypasses the loading of PowerShell profile settings
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
  - powershell.exe (PID: 6392)
- Starts CMD.EXE for commands execution
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Reads security settings of Internet Explorer
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Identifying current user with WHOAMI command
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
  - powershell.exe (PID: 6392)
  - powershell.exe (PID: 6600)
  - powershell.exe (PID: 2368)
- Reads Microsoft Outlook installation path
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Starts POWERSHELL.EXE for commands execution
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
  - powershell.exe (PID: 6392)
- The process executes Powershell scripts
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Possibly malicious use of IEX has been detected
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
  - powershell.exe (PID: 6392)
- Reads Internet Explorer settings
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Probably obfuscated PowerShell command line is found
  - powershell.exe (PID: 6392)
- Starts SC.EXE for service management
  - powershell.exe (PID: 6600)
- Searches for installed software
  - dllhost.exe (PID: 7052)
- The Powershell connects to the Internet
  - powershell.exe (PID: 6392)
- Unusual connection from system programs
  - powershell.exe (PID: 6392)
- Application launched itself
  - powershell.exe (PID: 6392)
- Executes as Windows Service
  - VSSVC.exe (PID: 6836)
INFO
- Checks proxy server information
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
  - powershell.exe (PID: 6392)
  - slui.exe (PID: 7124)
- Reads the computer name
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Checks supported languages
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Process checks Internet Explorer phishing filters
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Creates files or folders in the user directory
  - 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe (PID: 652)
- Create files in a temporary directory
  - powershell.exe (PID: 6600)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 6600)
- Reads the software policy settings
  - powershell.exe (PID: 6600)
  - slui.exe (PID: 7124)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2023:07:08 05:26:14+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	10
CodeSize:	910336
InitializedDataSize:	443904
UninitializedDataSize:	-
EntryPoint:	0xcdb10
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.1.37.1
ProductVersionNumber:	1.1.37.1
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	-
FileVersion:	1.1.37.01
InternalName:	-
LegalCopyright:	-
CompanyName:	-
OriginalFileName:	-
ProductName:	-
ProductVersion:	1.1.37.01

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

203

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

652

"C:\Users\admin\AppData\Local\Temp\5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe"

C:\Users\admin\AppData\Local\Temp\5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1.1.37.01

Modules

Images
c:\users\admin\appdata\local\temp\5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

816

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

takeown.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

904

"C:\WINDOWS\system32\icacls.exe" "C:\WINDOWS\system32\themeui.dll" /grant SYSTEM:F

C:\Windows\System32\icacls.exe

—

ThemePatcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\ucrtbase.dll

1296

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1380

"C:\WINDOWS\system32\whoami.exe" /user

C:\Windows\System32\whoami.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

whoami - displays logged on user information

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

1816

"C:\WINDOWS\system32\takeown.exe" /f "C:\WINDOWS\system32\themeui.dll"

C:\Windows\System32\takeown.exe

—

ThemePatcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Takes ownership of a file

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll

2368

powershell -win 1 -nop -c iex $env:R; # RunAsTI

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

TrustedInstaller.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll

2940

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

takeown.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2984

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

takeown.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3040

"C:\WINDOWS\system32\takeown.exe" /f "C:\WINDOWS\system32\themeui.dll"

C:\Windows\System32\takeown.exe

—

ThemePatcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Takes ownership of a file

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll

Add for printing

Total events

20 380

Read events

20 120

Write events

237

Delete events

Modification events


(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\Volatile Environment
Operation:	write	Name:	R8PUSER
Value: admin
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\Volatile Environment
Operation:	write	Name:	R8PCMD
Value: C:\Users\admin\AppData\Local\Temp\5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe
(PID) Process:	(652) 5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\GPU
Operation:	write	Name:	AdapterInfo
Value: vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.546"hypervisor="No Hypervisor (No SLAT)"

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7052	dllhost.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6392	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0q1vf4pf.ldz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6392	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f4hfkj3u.lye.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6392	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:907D4ADD73C3FDF12D8C1D68FB12C0CF	SHA256:87F888588D2D74605CDAFB0B6D23A245E7EE9A3E29DC3A5C290F744EF9124FDE
6392	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log		text
		MD5:E05D010E07FC79F5AC1F0E6D5A63BE68	SHA256:D06594E825F0A1D736810A3AC51341D318FE1918760E676E7F42AFDC5D8A0C8E
2368	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lhts2ree.4bd.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2368	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oknryzqp.gud.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
652	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\loader[1].htm		html
		MD5:EA8CF6B77FAF31DB850FF5440B208CE7	SHA256:0743E34940865862DD0172B09C955EEB8956DD5C5761E39DE8564BBE94D45752
652	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\loader[1].gif		image
		MD5:51051238A295D5A6AD89789CC8D2F802	SHA256:D8AA833309B6C47B08E8C0812071C5DFFE8871BB074D118C9FCF4EE0A79336B1
7052	dllhost.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:44719808A97A155864D7CB2C9D01076B	SHA256:2C7AE781CB96819AEAE9362C58B92D8F7251A2A439134C849FAF2452CD2A1D41

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6392	powershell.exe	GET	200	35.185.44.232:80	http://revert8plus.gitlab.io/release/ti.ps1	unknown	text	3.67 Kb	unknown
652	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	GET	200	35.185.44.232:80	http://revert8plus.gitlab.io/release/loader.html	unknown	html	201 b	unknown
652	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	GET	200	35.185.44.232:80	http://revert8plus.gitlab.io/release/loader.gif	unknown	image	81.9 Kb	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
6904	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	unknown
6500	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	GET	200	35.185.44.232:80	http://revert8plus.gitlab.io/release/loader.gif	unknown	image	81.9 Kb	unknown
6500	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	GET	200	35.185.44.232:80	http://revert8plus.gitlab.io/release/loader.html	unknown	html	201 b	unknown
6188	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	314 b	unknown
1268	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	unknown
768	lsass.exe	GET	200	2.23.197.184:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6904	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5928	svchost.exe	20.190.160.20:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3848	svchost.exe	239.255.255.250:1900	—	—	—	unknown
6896	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
652	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	35.185.44.232:80	revert8plus.gitlab.io	GOOGLE-CLOUD-PLATFORM	US	unknown
6392	powershell.exe	35.185.44.232:80	revert8plus.gitlab.io	GOOGLE-CLOUD-PLATFORM	US	unknown
5928	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6904	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	unknown

DNS requests

Domain	IP	Reputation
revert8plus.gitlab.io	35.185.44.232	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.bing.com	23.15.178.203 23.15.178.208 23.15.178.136 23.15.178.251 23.15.178.179 23.15.178.200 23.15.178.234 23.15.178.147	whitelisted
arc.msn.com	20.74.47.205	whitelisted
mhoefs.eu	130.61.243.57	unknown
x1.c.lencr.org	2.23.197.184 2.19.245.44	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

PID	Process	Class	Message
6392	powershell.exe	Potentially Bad Traffic	ET INFO PS1 Powershell File Request
6392	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
6500	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
6392	powershell.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Windows security identifiers S-1-5-18 (NT AuthoritySystem) was detected
6392	powershell.exe	Potentially Bad Traffic	ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
6500	5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529.exe

5A1233C02E6CC4579E49D7202D847A2D

57A710D0FDB3EF443A02382F933F591A6493EE74

5C53130B90F4F30685808B7B19A04751FB4EA3B922F5FAB599DF88BBE7CFC529

49152:xKEkzIzb9f9QL03ABBjBzwbZVrZFtqE+bHxXW2E+6ikhHMP/+4kUM:xKEhf9QLzvj2bXan04

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

Drops the executable file immediately after the start

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

The process bypasses the loading of PowerShell profile settings

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Identifying current user with WHOAMI command

Reads Microsoft Outlook installation path

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Possibly malicious use of IEX has been detected

Reads Internet Explorer settings

Probably obfuscated PowerShell command line is found

Starts SC.EXE for service management

Searches for installed software

The Powershell connects to the Internet

Unusual connection from system programs

Application launched itself

Executes as Windows Service

INFO

Checks proxy server information

Reads the computer name

Checks supported languages

Process checks Internet Explorer phishing filters

Creates files or folders in the user directory

Create files in a temporary directory

Reads security settings of Internet Explorer

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats