Analysis Overview
SHA256
3bf8263b56a109a52c84015c03911470998e7f9815b6504a924e9cf07a4958db
Threat Level: Known bad
The file Activation-Patch.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks whether UAC is enabled
Maps connected drives based on registry
Suspicious use of SetThreadContext
Program crash
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 08:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 08:57
Reported
2024-05-27 09:00
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 08:57
Reported
2024-05-27 09:00
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1288 created 2424 | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | C:\Windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\driver1.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 1288 | N/A | C:\ProgramData\driver1.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Activation-Patch.exe"
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Activation-Patch.exe --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4284.3408.16570056567216377432
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=122.0.2365.52 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7fffce9e2e98,0x7fffce9e2ea4,0x7fffce9e2eb0
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1784 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --mojo-platform-channel-handle=2100 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --mojo-platform-channel-handle=1772 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView" --webview-exe-name=Activation-Patch.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3532 --field-trial-handle=1788,i,6791909945494134597,3189890326931757215,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version /prefetch:1
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3324 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| RU | 147.45.44.73:1445 | 147.45.44.73 | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.44.45.147.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 89.23.98.116:1444 | 89.23.98.116 | tcp |
| RU | 147.45.44.73:1488 | 147.45.44.73 | tcp |
| US | 8.8.8.8:53 | 116.98.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 204.79.197.239:443 | tcp | |
| US | 8.8.8.8:53 | 239.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 104.91.71.146:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 146.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.106:443 | chromewebstore.googleapis.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\settings.dat
| MD5 | c7e49bc595b4f2f52bd1ffa8965759a5 |
| SHA1 | 62cd367cc56808ff95be3f6a3a80212404d16fe7 |
| SHA256 | 18416d286aa2abd79e3017348e75be15f15a55d01a149899eba9b9506dc121da |
| SHA512 | 45ebc463c44a9902b5a846da25beae4b5ea3f0e396c4086ebffff813161a660cd5dbe33cb4e56ed1536bcb511f5d44c59be1239802cdce938c60cb0281ba9d11 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
memory/4492-24-0x00007FFFF5EA0000-0x00007FFFF5EA1000-memory.dmp
\??\pipe\crashpad_4972_YPWPFXPHOBMNVHEC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1892-29-0x00007FFFF6880000-0x00007FFFF6881000-memory.dmp
memory/1892-30-0x00007FFFF69D0000-0x00007FFFF69D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Site Characteristics Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Crashpad\settings.dat
| MD5 | f9b3ec2582b82166b0473b6f5a2a513c |
| SHA1 | 46a499a9e66ff4ef4a3604b0a5ac7ba84d71445d |
| SHA256 | 571d9ea4f80a8646fb298794297328070f071335d97a60fb7d30cdb68d5fd3d6 |
| SHA512 | bf755cb62db0c474789dd5656bd1ca6e4bc14f5c5f3926cf32cc6f4ba5f7021ea1ad8e40b813df2b5f61934c172e54641c2d5833d75d3c31517e279ab9195703 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State
| MD5 | 051d6ac55f1ea1d31a7624eea2b55c90 |
| SHA1 | c9761957701ff727dc44ab399b8c2edcd684a65a |
| SHA256 | aaed4762755ad7886d2e83981424b9cb77faa0e8a04be2995ca9848985f644e9 |
| SHA512 | 64627c61f61d05821fdd49f3e73cba701dfa3763513fde25b9c2e30ad22da62d8c46b4710f797459beccb9b0de816dec0b2021edfdddf804776738fb0288081f |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State~RFe586aea.TMP
| MD5 | 8586c065ed11c80c9a371001c3de3574 |
| SHA1 | d4b64152b040fce66d61ab9d52311673e4c62eb4 |
| SHA256 | bbc2cc6d8acab510284a4f5256ae8a20b07b4662bb96522ba9119b4ca06da91a |
| SHA512 | 64460a413b903798ad30c9472bb997d675d7c32642337bbffca13a8e87f05553e0d7262fbcd8ad46482e8b203e0ec2496f3832301f63281fce1751f14c356666 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State
| MD5 | fe2254c50c6c06d64e1e3d27ee2ed415 |
| SHA1 | 60d3daff1f735f6d84a39691ce8a16b61981f645 |
| SHA256 | 78d0fd01d912ad7d81443b43635aa9f79964dec917e4471849ea68e882e483e9 |
| SHA512 | 63bb8fdb1af393fe4f10bda41929d1654ef9adff7c8b1e3749b70ec98401db8f925266936959a1b4cd4f7a76234de901b87a3e3d06348e251e6989da767c60ed |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/1016-135-0x00007FFFF5EA0000-0x00007FFFF5EA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2c2lfl02.tlw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2044-164-0x000001CCFECA0000-0x000001CCFECC2000-memory.dmp
memory/4492-174-0x000002A7BD920000-0x000002A7BDA4A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State
| MD5 | 637253d82dc0fe96d1b156ab485ab9ed |
| SHA1 | 851f3a06c51aea68ae8ef85a603c29aea7f8fa5f |
| SHA256 | 2b2ab8d2673f00401612489cda77f0b685c7f2fbf82667d6932568bee70feec4 |
| SHA512 | f4157707a8a60a2c0c05cd9e02b68135fa85377806176c8b5699e127308ca113d995580ea83604bbb5a45888e5ca4cc923fecc99a0dbddf0b5e12557c5ddcd9f |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State
| MD5 | 1a10f17f0e94205cff7ebe7c568cf246 |
| SHA1 | 25ef0f830ce25dd4e9a8f500b19f26441dea8b28 |
| SHA256 | a386f15cf08a45d1a424e113a491b63e4481d2b7ff3134be7b1195ba518c93f6 |
| SHA512 | 0b7631727b619fb5e619793a0262b1b60fc6226ec3878626bd50bd1e94e4a873f306f92e029b6e42d253174c0c47898cc8b0f311cbeb0bac2dd60ac0f507c4d0 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe58ced4.TMP
| MD5 | 8d513bc6187d9a3e79c87e868121abaf |
| SHA1 | be7fefb49391819608eef25167e5e6692947f8ae |
| SHA256 | b27d9cb0a91847585f3d1f07a63e3da05cde728464b601b2e740d934fabdd548 |
| SHA512 | 773a64aa690beb0c6bf0d3ecfe88def6cc177c81814bf29bb78628e32631ae1260e237e15877ff92204b619bcd013b4bdf3db359b60377d4fa30b8913cdba026 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b2696f56ff95a41e98b65e16d66b9aba |
| SHA1 | e8777906147698562b86e32cf650cee8c81760c0 |
| SHA256 | eb916937af5eff1bfdc0abedd8c1a795a322686934b3b9f7a9e8ab2f75e2c5b9 |
| SHA512 | 926364e371f801f36c339be21e170e66d09dadf319ac7593a3ee786e3c5fa2ebc30af6e4c6ca9ce01cd132db1b26561c05128fd77b5e5f6fba18517c7971f8e9 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences~RFe590fd5.TMP
| MD5 | 32408a52aa2a1075b8fae805103b3cdd |
| SHA1 | 2cd1c0b9d553539bb2180ddeb624b0e506b83e8a |
| SHA256 | 56202e4de977ef5a05eafe18ef1fc159796118a6d3d411764d085edb4707c0c9 |
| SHA512 | 80de300faca0dc339bcbde8167448ad28c6b5c5d5db2e2b0a9012b9a26f5d5467a8cc04a71833ffe9b7304ce179cb2d5d11c4cbe6e8ab548d4971a9357e3e726 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences
| MD5 | 49b393b844aa695aa0c5b1248ceb6852 |
| SHA1 | 44a10d142998f3d40b4444f3ef816e8b01dc4e04 |
| SHA256 | f494cf9bf81e30be876f78331fd2f3e2c6d1395eb3cbdb35d3dfaa44648d2893 |
| SHA512 | f5d1f7c20505e7942c573b7cd47646b6ee81f866b22dae5cef81580791ebe79a82baef019f0308698a65f85b409cb60dd78f61af916fe0c228ca3e47f458b070 |
C:\ProgramData\driver1.exe
| MD5 | c1883a829c7cfafc5c50802a01f4b03b |
| SHA1 | f803939b6f8048be5a98c60e33f01910206c8960 |
| SHA256 | 64a49ff6862b2c924280d5e906bc36168112c85d9acc2eb778b72ea1d4c17895 |
| SHA512 | db502c418342d49c827e34659d0121ff9d9c0bb7ad7b7aadac3befdedaf6768e15aa90544937521453a4b67928ff54737995cb877dd5af3be3d2053773afbf2d |
memory/2948-252-0x00007FF712290000-0x00007FF713AFD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Local State
| MD5 | 1b42f5951bed24e1530187f349035887 |
| SHA1 | 4fb62ba89db7d3c4a00b67ce452e764fb4951b46 |
| SHA256 | ab84092f937e6b87f8b036001311570d43f5ba2780619c8e393a60582baed4ef |
| SHA512 | 670c55c08e6e477a06d8f9c8762944b18891d57e1c5b1e7f47795b3dfa2806dc6a40a739d55fe4eab2c384b0db668004ed6b1caf0093bf0029da8a4cefc0665b |
memory/1288-274-0x0000000000880000-0x00000000008ED000-memory.dmp
memory/2948-275-0x00007FF712290000-0x00007FF713AFD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\DawnCache\data_1
| MD5 | 59e8539c1cb35923d06e4b7c764a03ce |
| SHA1 | 3ec31d68e827104049f9b0f9cee590703e54af42 |
| SHA256 | eb56804bdfd866f20c5eef210bbf385f0ed9230130b2ad52431945e360da0ad5 |
| SHA512 | 07bdf3c2bce032d925c7095338eba575b62adfa1568190d4c81baa70525de46837fee33f25a08c030316a49ae1027c94e2626558afd648153370bf842de478a1 |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Preferences
| MD5 | eed5fc5fea98970c8619488a028a6443 |
| SHA1 | 71fc1b236ecf13cfb053290c0ce99aebde37aecf |
| SHA256 | 06f7d05d5fc09bab9d2aac902950dce3d24f8f02842a75316860695f71693e92 |
| SHA512 | e7eceb85987c367138fde534c17fe471af2d4399ececdf63f7973f113ec51798dc0ea21564d4e53b4fdd3465cffd357898ba361d9fc9d3cba86cadb81f2a42e6 |
memory/1288-394-0x0000000000880000-0x00000000008ED000-memory.dmp
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Roaming\Activation-Patch.exe\EBWebView\Default\Network\Network Persistent State~RFe59765f.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
memory/1288-440-0x0000000003890000-0x0000000003C90000-memory.dmp
memory/1288-441-0x0000000003890000-0x0000000003C90000-memory.dmp
memory/1288-442-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/1288-444-0x0000000075510000-0x0000000075725000-memory.dmp
memory/4408-445-0x0000000000E50000-0x0000000000E59000-memory.dmp
memory/4408-447-0x0000000002A40000-0x0000000002E40000-memory.dmp
memory/4408-448-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/4408-450-0x0000000075510000-0x0000000075725000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 08:57
Reported
2024-05-27 09:00
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 08:57
Reported
2024-05-27 09:00
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
107s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cheat.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |