Malware Analysis Report

2024-10-10 13:33

Sample ID 240527-kw2xjaed4y
Target Activation-Patch.zip
SHA256 3bf8263b56a109a52c84015c03911470998e7f9815b6504a924e9cf07a4958db
Tags
rhadamanthys evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bf8263b56a109a52c84015c03911470998e7f9815b6504a924e9cf07a4958db

Threat Level: Known bad

The file Activation-Patch.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys evasion execution stealer trojan

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks whether UAC is enabled

Maps connected drives based on registry

Suspicious use of SetThreadContext

Program crash

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 08:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 08:57

Reported

2024-05-27 09:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 08:57

Reported

2024-05-27 09:00

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

160s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1288 created 2424 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\driver1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 1288 N/A C:\ProgramData\driver1.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4284 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
PID 4972 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe"

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Activation-Patch.exe --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4284.3408.16570056567216377432

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=122.0.2365.52 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7fffce9e2e98,0x7fffce9e2ea4,0x7fffce9e2eb0

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1784 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --mojo-platform-channel-handle=2100 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --mojo-platform-channel-handle=1772 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3532 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:1

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3324 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\ProgramData\driver1.exe

C:\ProgramData\driver1.exe

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1288 -ip 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1288 -ip 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 468

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
RU 147.45.44.73:1445 147.45.44.73 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 73.44.45.147.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 89.23.98.116:1444 89.23.98.116 tcp
RU 147.45.44.73:1488 147.45.44.73 tcp
US 8.8.8.8:53 116.98.23.89.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
US 204.79.197.239:443 tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 104.91.71.146:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 146.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp

Files

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\settings.dat

MD5 c7e49bc595b4f2f52bd1ffa8965759a5
SHA1 62cd367cc56808ff95be3f6a3a80212404d16fe7
SHA256 18416d286aa2abd79e3017348e75be15f15a55d01a149899eba9b9506dc121da
SHA512 45ebc463c44a9902b5a846da25beae4b5ea3f0e396c4086ebffff813161a660cd5dbe33cb4e56ed1536bcb511f5d44c59be1239802cdce938c60cb0281ba9d11

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

memory/4492-24-0x00007FFFF5EA0000-0x00007FFFF5EA1000-memory.dmp

\??\pipe\crashpad_4972_YPWPFXPHOBMNVHEC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1892-29-0x00007FFFF6880000-0x00007FFFF6881000-memory.dmp

memory/1892-30-0x00007FFFF69D0000-0x00007FFFF69D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\settings.dat

MD5 f9b3ec2582b82166b0473b6f5a2a513c
SHA1 46a499a9e66ff4ef4a3604b0a5ac7ba84d71445d
SHA256 571d9ea4f80a8646fb298794297328070f071335d97a60fb7d30cdb68d5fd3d6
SHA512 bf755cb62db0c474789dd5656bd1ca6e4bc14f5c5f3926cf32cc6f4ba5f7021ea1ad8e40b813df2b5f61934c172e54641c2d5833d75d3c31517e279ab9195703

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State

MD5 051d6ac55f1ea1d31a7624eea2b55c90
SHA1 c9761957701ff727dc44ab399b8c2edcd684a65a
SHA256 aaed4762755ad7886d2e83981424b9cb77faa0e8a04be2995ca9848985f644e9
SHA512 64627c61f61d05821fdd49f3e73cba701dfa3763513fde25b9c2e30ad22da62d8c46b4710f797459beccb9b0de816dec0b2021edfdddf804776738fb0288081f

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State~RFe586aea.TMP

MD5 8586c065ed11c80c9a371001c3de3574
SHA1 d4b64152b040fce66d61ab9d52311673e4c62eb4
SHA256 bbc2cc6d8acab510284a4f5256ae8a20b07b4662bb96522ba9119b4ca06da91a
SHA512 64460a413b903798ad30c9472bb997d675d7c32642337bbffca13a8e87f05553e0d7262fbcd8ad46482e8b203e0ec2496f3832301f63281fce1751f14c356666

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State

MD5 fe2254c50c6c06d64e1e3d27ee2ed415
SHA1 60d3daff1f735f6d84a39691ce8a16b61981f645
SHA256 78d0fd01d912ad7d81443b43635aa9f79964dec917e4471849ea68e882e483e9
SHA512 63bb8fdb1af393fe4f10bda41929d1654ef9adff7c8b1e3749b70ec98401db8f925266936959a1b4cd4f7a76234de901b87a3e3d06348e251e6989da767c60ed

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/1016-135-0x00007FFFF5EA0000-0x00007FFFF5EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2c2lfl02.tlw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2044-164-0x000001CCFECA0000-0x000001CCFECC2000-memory.dmp

memory/4492-174-0x000002A7BD920000-0x000002A7BDA4A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State

MD5 637253d82dc0fe96d1b156ab485ab9ed
SHA1 851f3a06c51aea68ae8ef85a603c29aea7f8fa5f
SHA256 2b2ab8d2673f00401612489cda77f0b685c7f2fbf82667d6932568bee70feec4
SHA512 f4157707a8a60a2c0c05cd9e02b68135fa85377806176c8b5699e127308ca113d995580ea83604bbb5a45888e5ca4cc923fecc99a0dbddf0b5e12557c5ddcd9f

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State

MD5 1a10f17f0e94205cff7ebe7c568cf246
SHA1 25ef0f830ce25dd4e9a8f500b19f26441dea8b28
SHA256 a386f15cf08a45d1a424e113a491b63e4481d2b7ff3134be7b1195ba518c93f6
SHA512 0b7631727b619fb5e619793a0262b1b60fc6226ec3878626bd50bd1e94e4a873f306f92e029b6e42d253174c0c47898cc8b0f311cbeb0bac2dd60ac0f507c4d0

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe58ced4.TMP

MD5 8d513bc6187d9a3e79c87e868121abaf
SHA1 be7fefb49391819608eef25167e5e6692947f8ae
SHA256 b27d9cb0a91847585f3d1f07a63e3da05cde728464b601b2e740d934fabdd548
SHA512 773a64aa690beb0c6bf0d3ecfe88def6cc177c81814bf29bb78628e32631ae1260e237e15877ff92204b619bcd013b4bdf3db359b60377d4fa30b8913cdba026

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

MD5 b2696f56ff95a41e98b65e16d66b9aba
SHA1 e8777906147698562b86e32cf650cee8c81760c0
SHA256 eb916937af5eff1bfdc0abedd8c1a795a322686934b3b9f7a9e8ab2f75e2c5b9
SHA512 926364e371f801f36c339be21e170e66d09dadf319ac7593a3ee786e3c5fa2ebc30af6e4c6ca9ce01cd132db1b26561c05128fd77b5e5f6fba18517c7971f8e9

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences~RFe590fd5.TMP

MD5 32408a52aa2a1075b8fae805103b3cdd
SHA1 2cd1c0b9d553539bb2180ddeb624b0e506b83e8a
SHA256 56202e4de977ef5a05eafe18ef1fc159796118a6d3d411764d085edb4707c0c9
SHA512 80de300faca0dc339bcbde8167448ad28c6b5c5d5db2e2b0a9012b9a26f5d5467a8cc04a71833ffe9b7304ce179cb2d5d11c4cbe6e8ab548d4971a9357e3e726

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences

MD5 49b393b844aa695aa0c5b1248ceb6852
SHA1 44a10d142998f3d40b4444f3ef816e8b01dc4e04
SHA256 f494cf9bf81e30be876f78331fd2f3e2c6d1395eb3cbdb35d3dfaa44648d2893
SHA512 f5d1f7c20505e7942c573b7cd47646b6ee81f866b22dae5cef81580791ebe79a82baef019f0308698a65f85b409cb60dd78f61af916fe0c228ca3e47f458b070

C:\ProgramData\driver1.exe

MD5 c1883a829c7cfafc5c50802a01f4b03b
SHA1 f803939b6f8048be5a98c60e33f01910206c8960
SHA256 64a49ff6862b2c924280d5e906bc36168112c85d9acc2eb778b72ea1d4c17895
SHA512 db502c418342d49c827e34659d0121ff9d9c0bb7ad7b7aadac3befdedaf6768e15aa90544937521453a4b67928ff54737995cb877dd5af3be3d2053773afbf2d

memory/2948-252-0x00007FF712290000-0x00007FF713AFD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State

MD5 1b42f5951bed24e1530187f349035887
SHA1 4fb62ba89db7d3c4a00b67ce452e764fb4951b46
SHA256 ab84092f937e6b87f8b036001311570d43f5ba2780619c8e393a60582baed4ef
SHA512 670c55c08e6e477a06d8f9c8762944b18891d57e1c5b1e7f47795b3dfa2806dc6a40a739d55fe4eab2c384b0db668004ed6b1caf0093bf0029da8a4cefc0665b

memory/1288-274-0x0000000000880000-0x00000000008ED000-memory.dmp

memory/2948-275-0x00007FF712290000-0x00007FF713AFD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_1

MD5 59e8539c1cb35923d06e4b7c764a03ce
SHA1 3ec31d68e827104049f9b0f9cee590703e54af42
SHA256 eb56804bdfd866f20c5eef210bbf385f0ed9230130b2ad52431945e360da0ad5
SHA512 07bdf3c2bce032d925c7095338eba575b62adfa1568190d4c81baa70525de46837fee33f25a08c030316a49ae1027c94e2626558afd648153370bf842de478a1

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences

MD5 eed5fc5fea98970c8619488a028a6443
SHA1 71fc1b236ecf13cfb053290c0ce99aebde37aecf
SHA256 06f7d05d5fc09bab9d2aac902950dce3d24f8f02842a75316860695f71693e92
SHA512 e7eceb85987c367138fde534c17fe471af2d4399ececdf63f7973f113ec51798dc0ea21564d4e53b4fdd3465cffd357898ba361d9fc9d3cba86cadb81f2a42e6

memory/1288-394-0x0000000000880000-0x00000000008ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\Network Persistent State~RFe59765f.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/1288-440-0x0000000003890000-0x0000000003C90000-memory.dmp

memory/1288-441-0x0000000003890000-0x0000000003C90000-memory.dmp

memory/1288-442-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

memory/1288-444-0x0000000075510000-0x0000000075725000-memory.dmp

memory/4408-445-0x0000000000E50000-0x0000000000E59000-memory.dmp

memory/4408-447-0x0000000002A40000-0x0000000002E40000-memory.dmp

memory/4408-448-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

memory/4408-450-0x0000000075510000-0x0000000075725000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 08:57

Reported

2024-05-27 09:00

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 08:57

Reported

2024-05-27 09:00

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A