Malware analysis bytebreaker.cc Exploit_31035209.exe Malicious activity

Add for printing

File name:	bytebreaker.cc Exploit_31035209.exe
Full analysis:	https://app.any.run/tasks/7e3e143c-80ad-422f-a68b-82192457f476
Verdict:	Malicious activity
Analysis date:	February 12, 2025, 13:55:06
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	auto generic github themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	15D1C495FF66BF7CEA8A6D14BFDF0A20
SHA1:	942814521FA406A225522F208AC67F90DBDE0AE7
SHA256:	61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42
SSDEEP:	98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- Checks Windows Trust Settings
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- There is functionality for taking screenshot (YARA)
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- Start notepad (likely ransomware note)
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6032)
INFO
- The sample compiled with english language support
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - WinRAR.exe (PID: 6032)
- Checks supported languages
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - bytebreaker.exe (PID: 4996)
- Reads the computer name
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - bytebreaker.exe (PID: 4996)
- Checks proxy server information
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - bytebreaker.exe (PID: 4996)
- Reads the machine GUID from the registry
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - bytebreaker.exe (PID: 4996)
- Reads the software policy settings
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
  - bytebreaker.exe (PID: 4996)
- Creates files or folders in the user directory
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 6176)
- Process checks computer location settings
  - bytebreaker.cc Exploit_31035209.exe (PID: 6512)
- Manual execution by a user
  - firefox.exe (PID: 4308)
  - WinRAR.exe (PID: 6032)
  - bytebreaker.exe (PID: 4996)
- Application launched itself
  - firefox.exe (PID: 5712)
  - firefox.exe (PID: 4308)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6032)
- Disables trace logs
  - bytebreaker.exe (PID: 4996)
- Themida protector has been detected
  - bytebreaker.exe (PID: 4996)
- Reads Environment values
  - bytebreaker.exe (PID: 4996)
- Create files in a temporary directory
  - bytebreaker.exe (PID: 4996)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:18 17:00:18+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.22
CodeSize:	4353024
InitializedDataSize:	1675776
UninitializedDataSize:	-
EntryPoint:	0x398c98
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Download Manager
FileVersion:	1
InternalName:	Download Manager
LegalCopyright:	Download Manager
OriginalFileName:	Download Manager
ProductName:	Download Manager
ProductVersion:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1228

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4784 -prefMapHandle 4916 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50309141-6b6a-4a87-9b73-c36b215f5bd2} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" 16f2314eb10 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3928

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 31144 -prefMapSize 244583 -jsInitHandle 1156 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9d7eda-b1e7-4d74-a40d-0e9712f86bfb} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" 16f24520d90 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4308

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

—

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\crypt32.dll

4708

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 31144 -prefMapSize 244583 -jsInitHandle 1156 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa652d6b-3e0e-467d-bf60-bae78ba9914a} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" 16f2437dd90 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll

4996

"C:\Users\admin\Desktop\bytebreaker.cc\bytebreaker.exe"

C:\Users\admin\Desktop\bytebreaker.cc\bytebreaker.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

ByteBreaker

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\bytebreaker.cc\bytebreaker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5652

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 31144 -prefMapSize 244583 -jsInitHandle 1156 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c84e8038-3ca2-4fd0-bb05-af9c890b31ae} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" 16f2437df50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll

5712

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6032

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\bytebreakerV2.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6176

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\link.txt

C:\Windows\SysWOW64\notepad.exe

—

bytebreaker.cc Exploit_31035209.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll

Add for printing

Total events

17 446

Read events

17 409

Write events

Delete events

Modification events


(PID) Process:	(6512) bytebreaker.cc Exploit_31035209.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6512) bytebreaker.cc Exploit_31035209.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6512) bytebreaker.cc Exploit_31035209.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6512) bytebreaker.cc Exploit_31035209.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:
(PID) Process:	(5712) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(6032) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6032) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6032) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6032) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\bytebreakerV2.zip
(PID) Process:	(6032) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120

Add for printing

Executable files

Suspicious files

449

Text files

119

Unknown types

Dropped files

PID	Process	Filename		Type
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:691CC3A637642037EFB3DBAE3D9E95FC	SHA256:424825E6B2986E8B19D0D739469B6421C2FDEE2CCDAAA9D31DB4E44AB24E5B03
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
5712	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:C9F5DA3AFB12C140AC9777A62CB872E8	SHA256:7479717A3CFEC1C72184D39CAB822516E7493B42C8D0BBE0C2876A1940E894E0
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\923CD0F3EDBB3759A875E7FE664C6C90_E177412028F15791C29E67CACD8927FC		binary
		MD5:BD282185350E0AC2B4B6EB0709F768F0	SHA256:FB0C376214B12950E5A32859F01E78FEAA17ADB6C39AB68CA1CA9DDF27433099
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:D4467E1D7ECE220D895D6FC4B3FE82DB	SHA256:F7DA7DC4090B477D85F45C3AB81EECB146C9E238BE767009BB8472DEAAB0ED73
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\Local\link.txt		text
		MD5:7D39AC1A6DE585EC9E5A2679389C5B8A	SHA256:D562DF8DB1247FC71F44A64EADDEE0F2564A532F287E2D50DC59833F901648DE
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\logo[1].png		image
		MD5:2D4E9E8198F0C3EADE53C619CD1FE4EA	SHA256:C97E703578120C1F7A570ACAC3B461178A5E051CE16BE9E266C1789C1D610AC0
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:C9BE626E9715952E9B70F92F912B9787	SHA256:C13E8D22800C200915F87F71C31185053E4E60CA25DE2E41E160E09CD2D815D4
6512	bytebreaker.cc Exploit_31035209.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C2C9D7FCC58B6FD9BF152E66809C1BBE_9962014287DF49023620C3F0C27B8ACE		binary
		MD5:70F97DDFBB2C32E046EFFE2E145B8B70	SHA256:18AB0FFA60AF63A1C8F09D9320D72B8B467601759D945E6FFF1DE3F1E43361CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

124

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1488	svchost.exe	GET	200	23.48.23.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1488	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6512	bytebreaker.cc Exploit_31035209.exe	GET	200	142.250.186.163:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
6512	bytebreaker.cc Exploit_31035209.exe	GET	200	172.217.23.99:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6512	bytebreaker.cc Exploit_31035209.exe	GET	200	216.58.212.163:80	http://o.pki.goog/s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D	unknown	—	—	whitelisted
6512	bytebreaker.cc Exploit_31035209.exe	GET	200	216.58.212.163:80	http://o.pki.goog/s/wr3/URM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEFET1OsgXJOMCsceBPevDRA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.190:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1488	svchost.exe	23.48.23.190:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1488	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	92.123.104.29:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	40.126.31.131:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.48.23.190 23.48.23.140 23.48.23.146 23.48.23.150 23.48.23.194 23.48.23.192 23.48.23.191 23.48.23.183 23.48.23.137	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
www.bing.com	92.123.104.29 92.123.104.33 92.123.104.32 92.123.104.30 92.123.104.27 92.123.104.35 92.123.104.34 92.123.104.31 92.123.104.36	whitelisted
ocsp.digicert.com	23.54.109.203 2.23.77.188	whitelisted
login.live.com	40.126.31.131 20.190.159.131 40.126.31.130 40.126.31.3 20.190.159.0 20.190.159.64 20.190.159.4 40.126.31.71	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.dlsft.com	35.190.60.70	unknown
ocsp.pki.goog	172.217.23.99	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

Process	Message
bytebreaker.cc Exploit_31035209.exe
bytebreaker.cc Exploit_31035209.exe	at getFileInfo.@307@46 (this://app/main.html(329))
bytebreaker.cc Exploit_31035209.exe	Error: (undefined) has no property - value
bytebreaker.cc Exploit_31035209.exe
bytebreaker.cc Exploit_31035209.exe	at initializeDynamicVariables (this://app/main.html(351))
bytebreaker.cc Exploit_31035209.exe	scanning node question /questions/question
bytebreaker.cc Exploit_31035209.exe	scanning node question /questions/question
bytebreaker.cc Exploit_31035209.exe	scanning node questions /questions
bytebreaker.cc Exploit_31035209.exe	scanning node question /questions/question
bytebreaker.cc Exploit_31035209.exe	scanning node question /questions/question

General Info

bytebreaker.cc Exploit_31035209.exe

15D1C495FF66BF7CEA8A6D14BFDF0A20

942814521FA406A225522F208AC67F90DBDE0AE7

61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42

98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

SUSPICIOUS

Reads security settings of Internet Explorer

Checks Windows Trust Settings

There is functionality for taking screenshot (YARA)

Start notepad (likely ransomware note)

Process drops legitimate windows executable

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Process checks computer location settings

Manual execution by a user

Application launched itself

Executable content was dropped or overwritten

Disables trace logs

Themida protector has been detected

Reads Environment values

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings