File name:	Verdacryptor.ps1
Full analysis:	https://app.any.run/tasks/08d275c9-a76b-4e40-aa28-50413280ba1f
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 23:40:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text, with very long lines (606), with CRLF line terminators
MD5:	1F5488BA61E97E87DF8FE38F422AB656
SHA1:	555BA61DA9AACA4AA014547CFA7C6A094CD4EEA2
SHA256:	44BC57C23C19C1BB99A4430A8A525DCE83A0A3FE559E21907BE6E80D333A29EE
SSDEEP:	384:sKSUBSzj5mMEEpi0D04eEMls/11AUfoUHKPw3+4CFY1XY:3M5mME00xEbrlkq+40mXY


(PID) Process:	(3300) powershell.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\Shell\Open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(4008) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4008) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4008) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4008) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3300) powershell.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\Shell\Open\command
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
3300	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G9LHZ57DRIQEXSUKAEJV.temp		binary
		MD5:C2B41B9AE80F16CFF1260A7C5967367F	SHA256:4E5440B3F0CE885182DE636C23DD210E5CDC0E609FC4ED32320ECF36CF14F482
3300	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:C2B41B9AE80F16CFF1260A7C5967367F	SHA256:4E5440B3F0CE885182DE636C23DD210E5CDC0E609FC4ED32320ECF36CF14F482
3300	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n3vaut4p.jeo.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3300	powershell.exe	C:\Users\admin\AppData\Local\Temp\hpcmkeyf.0.cs		text
		MD5:B794645974059BD125405F327C5ACE77	SHA256:AFD81C914FE8FA7EE32BE6A797F46A2A829908B45D59100C1052A7BAF2A347DA
3100	csc.exe	C:\Users\admin\AppData\Local\Temp\hpcmkeyf.out		text
		MD5:FFA699CA6EA60E9A046CFE81312080C8	SHA256:F7E4B7041C21A268371F42AD6BCF55FC932D1CDDDACDDCB5BCC397B0CCA1F31B
3100	csc.exe	C:\Users\admin\AppData\Local\Temp\hpcmkeyf.dll		executable
		MD5:B3E5E4386CD29ED1BD1605E8F0705FF0	SHA256:B119DCA2AA724937274A95BDDEB163817B5C5719116FDF336393D3F19D5F17D5
3300	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:2AF279E73EBE24F3A6E689A595D21DA6	SHA256:744A9C29CC187A660EF373FE35642BAC63B4CF8A94D301D90307F3FB0775D35F
4980	csc.exe	C:\Users\admin\AppData\Local\Temp\jnhxthjc.dll		executable
		MD5:1BB7E515EB52CC39023293A0AFB9AC78	SHA256:6C6B64A5EEFE2916C69F4EDDC03A176D3765FEC9D4FB7A795FD69B5038D02892
3300	powershell.exe	C:\Users\admin\AppData\Local\Temp\jnhxthjc.cmdline		text
		MD5:8FB4058A4EF992EA119ADEC7404C5A08	SHA256:CF32FCCA34498C5B578602148F0FEB92A19694E6EA95085F3908EC02685E2752
4448	cvtres.exe	C:\Users\admin\AppData\Local\Temp\RES3D54.tmp		binary
		MD5:407DDB2558ADCE3D39DC60B2A3B6E810	SHA256:D6989FE33F9757BB8DEF0BADD79862E334FCF80B02B94CCDB9192018B1C3597D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.166:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5228	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5228	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5228	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5228	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	1.35 Kb	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	20.223.35.26:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T234103Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=df3c7e7654c74838bd847ac74ef98a60&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968140&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358670&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	2.95 Kb	whitelisted
—	—	POST	400	20.190.160.128:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	GET	200	20.223.35.26:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T234103Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b173ff9c6bed4663b62270833a8a64a9&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968140&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358670&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	2.95 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	23.48.23.166:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1188	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
crl.microsoft.com	23.48.23.166 23.48.23.156 23.48.23.143	whitelisted
login.live.com	20.190.160.130 40.126.32.76 20.190.160.2 20.190.160.65 40.126.32.134 20.190.160.128 40.126.32.136 20.190.160.5	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

Verdacryptor.ps1

1F5488BA61E97E87DF8FE38F422AB656

555BA61DA9AACA4AA014547CFA7C6A094CD4EEA2

44BC57C23C19C1BB99A4430A8A525DCE83A0A3FE559E21907BE6E80D333A29EE

384:sKSUBSzj5mMEEpi0D04eEMls/11AUfoUHKPw3+4CFY1XY:3M5mME00xEbrlkq+40mXY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Bypass User Account Control (Modify registry)

Bypass User Account Control (fodhelper)

SUSPICIOUS

CSC.EXE is used to compile C# code

Executable content was dropped or overwritten

Uses WEVTUTIL.EXE to get a list of log names

Changes default file association

Checks a user's role membership (POWERSHELL)

The process executes Powershell scripts

Starts POWERSHELL.EXE for commands execution

Uses base64 encoding (POWERSHELL)

Uses WEVTUTIL.EXE to cleanup log

INFO

Reads the machine GUID from the registry

Checks supported languages

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Reads security settings of Internet Explorer

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings